DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment / Arguments
Regarding claims rejected under 35 USC 103:
Applicant’s arguments, in view of the amended claims, have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Challener (US 2006/0179476 A1).

Claim Objections
Claim 1 is objected to because of the following informalities:  "in anL3 message," "firstidentification information," “aremediation server,” and “thatthe,” which appear to be typographical errors.  Appropriate correction is required.

Claim 5 is objected to because of the following informalities:  "changeof authentication," which appears to be a typographical error.  Appropriate correction is required.

Claim 14 is objected to because of the following informalities:  "between theNAC." “aremediation server,” and “thatthe,” which appears to be a typographical error.  Appropriate correction is required.

Claim 21 is objected to because of the following informalities:  "in anL3 message," "firstidentification information," “aremediation server,” and “thatthe,” which appear to be typographical errors.  Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 5-12, 14-15, and 18-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chickering (US 8,966,075 B1) in view of Grosser (US 2016/0285647 A1) and Challener (US 20060179476 A1).
Regarding claim 1, Chickering discloses: A method, comprising: 
receiving, by a network access control (NAC) device (policy server of Chickering) that enforces a policy for accessing a remote network device of a network system (e.g., nodes of Chickering), authentication credentials of a user device (endpoint device of Chickering) in an OSI layer 2 (L2) message via an L2 communication channel , wherein the authentication credentials include first identification information of the user device, and the L2 communication channel  is between the NAC device, a wireless local area network controller (WLC) device (e.g., switch / access point / physical device), and the user device; 
Refer to at least Col. 4, Ll. 49-57 of Chickering with respect to the endpoint device requesting access for communicating with the nodes. 
Refer to at least Col. 4, Ll. 58-63 and Col. 9, Ll. 52-62 of Chickering with respect to the endpoint device request comprising authentication credentials over an L2 connection. 
Refer to at least Col. 1, Ll. 31-34 and Col. 2, Ll. 61-Col. 3, Ll. 13 with respect to, e.g., a switch or access point.
authenticating, by the NAC device, the user device using the authentication credentials; 
Refer to at least Col. 6, Ll. 19-36 of Chickering with respect to the policy server performing authentication of the L2 request. 
after authenticating the user device, granting the user device limited access via the L2 communication channel to the network system by sending an accept message to the WLC device, the accept message being configured to be translated and relayed to the user device; 
Refer to at least Col. 3, Ll. 8-14 and Col. 6, Ll. 10-18 of Chickering with respect to the physical device used as a proxy / intermediary between the policy server and endpoint device.
creating a data entry for the L2 communication channel and the first identification information of the user device; 
Refer to at least Col. 9, Ll. 32-42 of Chickering with respect to a look-up table. 
following receipt of an internet protocol (IP) address from a dynamic host configuration protocol (DHCP) server by the user device, receiving, at the NAC device, an initiation of a connection of an OSI layer 3 (L3) communication channel from the user device; 
Refer to at least Col. 13, Ll. 11-21 of Chickering with respect to obtaining an IP from a DHCP server and commencing L3 communication.
establishing, by the NAC device, the L3 communication channel between the NAC device and the user device; 
Refer to at least Col. 2, Ll. 12-21, Col. 6, Ll. 36-51&61-67, and Col. 10, Ll. 3-18 of Chickering with respect to the policy server providing the endpoint device with an L3 address for establishing a communication session. 
receiving, by the NAC device, compliance information and second identification information of the user device in anL3 message via the L3 communication channel, , wherein , the L3 message is separate from the L2 message; 
Refer to at least Col. 2, Ll. 17-25, Col. 5, Ll. 7-15, Col. 6, Ll. 52-58, Col. 7, Ll. 7-28, and Col. 10, Ll. 18-21 of Chickering with respect to using the L3 session for monitoring, e.g., a variety of endpoint device information for policy compliance. 
associating, by the NAC device, the L2 communication channel with the L3 communication channel; 
Refer to at least Col. 8, Ll. 27-60 and Col. 9, Ll. 32-51 of Chickering with respect to associating the L2 connection and L3 policy information for allowing network access. 
in response to determining thatthe compliance information does not satisfy the policy, [performing a remedial action]; 
Refer to at least Col. 13, Ll. 32-58 of Chickering with respect to determining non-compliance and thereafter effecting policy change and/or reassignment. 
in response to determining that the compliance information satisfies the policy authorizing, by the NAC device, the user device full access to the  remote network device of the network system. 
Refer to at least FIG. 4 of Chickering with respect to allowing access while policies are complied with. 
Chickering does not specify: based on a match between the data entry of the   firstidentification information and the second identification information; sending data indicating aremediation server from which to retrieve a program or an update to bring the user device into compliance with the policy; receiving updated compliance information indicative of installation of the program or the update at the user device. However, Chickering in view of Grosser and Challener discloses: based on a match between the data entry of the   firstidentification information and the second identification information;
Refer to at least steps 215-222 in FIG. 2A of Grosser with respect to checking packet data for respectively associated identifiers.  
sending data indicating aremediation server from which to retrieve a program or an update to bring the user device into compliance with the policy; receiving updated compliance information indicative of installation of the program or the update at the user device. 
Refer to at least the abstract and FIG. 4B of Challener with respect to determining whether a client computer is in compliance with security policy and thereafter sending an appropriate compliance software for download and installation if not. The computer is put back on the network once it is compliant. 
The teachings of Chickering concern verifying MAC addresses (Col. 8, Ll. 22-60) and further concern VLAN tags (Col. 9, Ll. 11-42). Accordingly, they are considered to be combinable with the cited portions of Grosser concerning similar subject matter. The teachings of Chickering and Challener both concern policy compliance, and are considered to be combinable as well. 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chickering to further include verifying the compliance information by determining whether it is correctly associated with its respective L2 identifier for at least the purpose of increasing the security (i.e., making sure that the endpoint device and/or its session is not being spoofed). It further would have been obvious to include utilizing a compliance fix server to download compliance fixes for at least the purpose of increasing security by automatically bringing endpoints into compliance with security rules.

Regarding claim 2, it is rejected for substantially the same reasons as claim 1 above (i.e., the citations to Chickering above comprise the EAP protocol).

Regarding claim 5, Chickering-Grosser-Challener discloses: The method of claim 4, further comprising sending a remote authentication dial-in user service (RADIUS) change of authentication (CoA) message to assign the user device to a second virtual local area network (VLAN).
Refer to at least Col. 3., Ll. 26-36 and Col. 6, Ll. 30-43 of Chickering with respect to providing L3 information via RADIUS and EAP. 

Regarding claim 6, it is rejected for substantially the same reasons as claims 4-5 above (i.e., RADIUS and EAP messaging as per Chickering).

Regarding claim 7, it is rejected for substantially the same reasons as claim 1 above (i.e., the policy server performing authentication of the credentials; EAP/RADIUS).

Regarding claim 8, it is rejected for substantially the same reasons as claim 1 above (i.e., citations discussing EAP/RADIUS—e.g., Col. 6, Ll. 19-21 of Chickering).

Regarding claim 9, it is rejected for substantially the same reasons as claim 1 above (e.g., Col. 7, Ll. 11-28 and Col. 5, Ll. 7-11 of Chickering).

Regarding claim 10, it is rejected for substantially the same reasons as claim 1 above (“For example, in an alternative embodiment, policy server 14 may be configured to verify MAC addresses of endpoint devices 10. Policy server 14 may include policies relative to the MAC addresses of endpoint devices 10.”).

Regarding claim 11, Chickering-Grosser-Challener discloses: The method of claim 1, wherein the first identification information comprises at least one of a user name and password or a digital certificate of the user device, and wherein the second identification information comprises the user name and password or the digital certificate of the user device.
Refer to at least Col. 9, Ll. 57-61 with respect to exemplary login and compliance information, such as a user identification and password. 
This claim would have been obvious for substantially the same reasons as claim 1 above.

Regarding claim 12, Chickering-Grosser-Challener discloses: The method of claim 1, further comprising sending instructions to the user device to cause the user device to install a compliance agent, wherein receiving the compliance information comprises receiving the compliance information from the compliance agent of the user device.
Refer to at least Col. 8, Ll. 41-53 of Chickering with respect to agent software and its installation for monitoring compliance. 

Regarding independent claim 14, it is substantially similar to independent claim 1, and is therefore likewise rejected (i.e., the citations and obviousness rationale).

Regarding claims 15 and 18-20, they are substantially similar to claims 2, 4-6, and 10 above, and are therefore likewise rejected.

Regarding independent claim 21, it is substantially similar to independent claim 1, and is therefore likewise rejected (i.e., the citations and obviousness rationale).

Claims 3 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Chickering-Grosser-Challener as applied to claims 1-2, 5-12, 14-15, and 18-21 above, and further in view of Choyi (US 2018/0183802 A1).

egarding claim 3, Chickering-Grosser-Challener does not disclose: wherein  the authentication credentials are formatted according to security assertion markup language (SAML). However, Chickering-Grosser-Challener in view of Choyi discloses: wherein  the authentication credentials are formatted according to security assertion markup language (SAML).
Refer to at least [0276] of Choyi with respect to interchangeably using EPA, SAML, an d other authentication protocols.
The teachings of Choyi concern authentication protocols, and are considered to be combinable as such.
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of Applicant’s invention to modify the teachings of Chickering-Grosser-Challener to further include support for SAML because the substitution of one known element for another would have yielded predictable results to one of ordinary skill in the art at the time (i.e., the form of login information / credentials which are used during authentication—which is already broadly disclosed by the cited portions of Chickering).

Regarding claim 16, it is substantially similar to claim 3 above, and is therefore likewise rejected. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to VADIM SAVENKOV whose telephone number is (571)270-5751. The examiner can normally be reached 12PM-8PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/DAO Q HO/Primary Examiner, Art Unit 2432