DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is the responsive to the communication filed on 01/04/2022.

 	Applicant argued on the page 7 of the remark Li does not disclose  receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element.

 	Examiner respectfully and does not explicitly concede that Li does not disclose the above limitations. The newly above limitations disclose by the Murphy et al US 9,667485.
 	Murphy discloses claim 1 . An apparatus, comprising; a processor of an access point configured to be operatively within a network including a plurality of network nodes and a core network node, and a transceiver of the access point configured to send a first discovery message, the transceiver configured to receive a second discovery message, responsing based on the first discovery message, the processor configured to identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message, the processor configured to set up, create, a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node and  The network node is configured to be authenticated based on the second authentication message.  and The network node is configured to be authenticated based on the second authentication message. Coll 10, lines 7-35,    	As a first step after booting up, a network node (e.g., an access point, an access network node, an aggregation network node) can be automatically authenticated. Specifically, the network node can be configured to send a first authentication message to a second network node (e.g., an access network node, an aggregation network node, a core network node) directly coupled to the network node, which has been configured and functioning as a network element of the homogeneous enterprise network 200. The first authentication message can be a message that requests the network node to be authenticated as a network element of the homogeneous enterprise network 200. In response to receiving the first authentication message, if the second network node is capable of authenticating the network node (e.g., an authentication server, not shown in FIG. 2), the second network node can be configured to generate and send a second authentication message to the network node, which authenticates the network node based on the first authentication message. Alternatively, if the second network node is not capable of authenticating the network node, the second network node can be configured to forward the first authentication message to a third network node (e.g., an authentication server, not shown in FIG. 2) that is capable of authenticating the network node. As a result, a second authentication message that authenticates the network node is sent from the third network node to the second network node, from which the second authentication message is forwarded to and applied accordingly at the network node. Thus, the network node is authenticated and allowed to access resources located on the homogeneous enterprise network 200 based on the second authentication message.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.



Claims 1, 7-9,15-16 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Li et al 2014/0245403 in view of Murphy et al US 9,667485.

 	As per claim 1, Li discloses an authentication method, comprising: 
 	selecting, by the terminal device, the access network element corresponding to the address information to initiate a tunnel authentication procedure ( par 0095  data security channel of an S2c tunnel is established or updated according to a trust relationship of access of the user equipment, i.e. by the terminal device ), wherein the tunnel authentication procedure is a procedure to authenticate whether the terminal device can access a core network by using a tunnel technology ([0092] 802. After the PDN-GW receives the binding update request message, the PDN-GW determines whether an S6b session of the UE already exists or a security association has been established with the UE. If the S6b interface session of the UE already exists or a security association has been established with the UE, it indicates that the PDN-GW has previously requested an AAA server to perform authentication and authorization for the UE; in this case, the PDN-GW sends an authorization request message to the AAA server. The authorization request message includes a UE identity and further includes a network identifier. The network identifier includes one or more of the following types of information: an access network identifier, a security mechanism that is used in an access network, an access type; in the case of a roaming scenario, a visited network identity is further included).  

 	 Li does not explicitly discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element.

 	However, Murphy discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element  (Coll 10, lines 7-35,    As a first step after booting up, a network node (e.g., an access point, an access network node, an aggregation network node) can be automatically authenticated. Specifically, the network node can be configured to send a first authentication message to a second network node (e.g., an access network node, an aggregation network node, a core network node) directly coupled to the network node, which has been configured and functioning as a network element of the homogeneous enterprise network 200. The first authentication message can be a message that requests the network node to be authenticated as a network element of the homogeneous enterprise network 200. In response to receiving the first authentication message, if the second network node is capable of authenticating the network node (e.g., an authentication server, not shown in FIG. 2), the second network node can be configured to generate and send a second authentication message to the network node, which authenticates the network node based on the first authentication message. Claim 1, the transceiver configured to receive a second discovery message, responding based on the first discovery message, the processor configured to identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message, the processor configured to set up, create, a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node and  The network node is configured to be authenticated based on the second authentication message.  and The network node is configured to be authenticated based on the second authentication).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.

 	

 	
 	
 
 	As per clam 7, Li in view of Murphy discloses the method according to claim 1, Li discloses wherein the access network is a trusted non- 3rd Generation Partnership Project (3GPP) access network ([0031] As shown in FIG. 1, the S2c interface may be used to access an EPS network by using a non-3GPP access network or a 3GPP network. For a trusted non-3GPP access network, a UE connects to a PDN-GW directly by using the non-3GPP access network; however, for an untrusted non-3GPP access network, the UE needs to connect to a PDN-GW network element by using an evolved packet data gateway ePDG trusted by a home network. For a 3GPP access network, the UE connects to the PDN-GW network element by using an S-GW (serving gateway).).  
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.

 	As per claim 8, Li in view of Murphy discloses the method according to claim 1, Li  discloses wherein the access network element is a trusted non-3GPP access network gateway ( par 0032, the UE accesses an EPC by using the PDN-GW via the S2c interface, if the UE accesses the EPC by using a trusted non-3GPP access network, the PDN-GW needs to initiate establishment of a child security association Child SA to protect a data plane; if the UE accesses the EPC by using an untrusted non-3GPP access network, the PDN-GW establishes a DSMIPv6 security channel by using an IPSec channel between the UE and ePDG, so as to perform integrity protection and confidentiality protection for data; if the UE accesses the EPC by using a 3GPP access network, data security protection between the UE and the PDN-GW is provided by using an authentication encryption mechanism of the 3GPP itself.).   

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.

 	As per claim 9, Li discloses an authentication apparatus, comprising at least one processor and a memory, wherein the memory is coupled to the at least one processor and stores instructions executable by the at least one processor ( [0156] When the integrated units are implemented in a form of a software functional unit and sold or used as an independent product, the integrated units may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of the present invention essentially, or the part contributing to the prior art, or all or a part of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform all or a part of the steps of the methods described in the embodiments of the present invention. The foregoing storage medium includes: any mediums that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (ROM), a random access memory (RAM),), wherein the instructions, when executed by the at least one processor, enables the apparatus to perform operations comprising: 
 	selecting, by the terminal device, the access network element corresponding to the address information to initiate a tunnel authentication procedure ( par 0095  data security channel of an S2c tunnel is established or updated according to a trust relationship of access of the user equipment, i.e. by the terminal device ), wherein the tunnel authentication procedure is a procedure to authenticate whether the terminal device can access a core network by using a tunnel technology ([0092] 802. After the PDN-GW receives the binding update request message, the PDN-GW determines whether an S6b session of the UE already exists or a security association has been established with the UE. If the S6b interface session of the UE already exists or a security association has been established with the UE, it indicates that the PDN-GW has previously requested an AAA server to perform authentication and authorization for the UE; in this case, the PDN-GW sends an authorization request message to the AAA server. The authorization request message includes a UE identity and further includes a network identifier. The network identifier includes one or more of the following types of information: an access network identifier, a security mechanism that is used in an access network, an access type; in the case of a roaming scenario, a visited network identity is further included).  

 	 Li does not explicitly discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element.

 	However, Murphy discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element  (Coll 10, lines 7-35,    As a first step after booting up, a network node (e.g., an access point, an access network node, an aggregation network node) can be automatically authenticated. Specifically, the network node can be configured to send a first authentication message to a second network node (e.g., an access network node, an aggregation network node, a core network node) directly coupled to the network node, which has been configured and functioning as a network element of the homogeneous enterprise network 200. The first authentication message can be a message that requests the network node to be authenticated as a network element of the homogeneous enterprise network 200. In response to receiving the first authentication message, if the second network node is capable of authenticating the network node (e.g., an authentication server, not shown in FIG. 2), the second network node can be configured to generate and send a second authentication message to the network node, which authenticates the network node based on the first authentication message. Claim 1, the transceiver configured to receive a second discovery message, responding based on the first discovery message, the processor configured to identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message, the processor configured to set up, create, a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node and  The network node is configured to be authenticated based on the second authentication message.  and The network node is configured to be authenticated based on the second authentication).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.



 	As per claim 15,  Li in view of Murphy discloses the apparatus according to claim 9, Li discloses wherein the access network is a trusted non-3rd Generation Partnership Project (3GPP) access network ( par 0033 the PDN-GW needs to learn whether access of the current UE is performed by using the trusted non-3GPP access network, untrusted non-3GPP access network, or 3GPP access network. This is a precondition for correctly establishing or updating a data security channel of an S2c tunnel, and especially when the UE accesses the EPC via the S2c interface after handing over between the trusted non-3GPP access network, 3GPP access network, and untrusted non-3GPP access network, the PDN-GW needs to distinguish an access scenario, so as to complete correct establishment or update of the data security channel.).  

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.


 	As per claim 16, Li discloses a non-transitory computer readable storage medium, wherein the non- transitory computer readable storage medium stores a computer program, wherein the computer program comprises instructions, wherein when the instructions are executed on a terminal device ( [0156] When the integrated units are implemented in a form of a software functional unit and sold or used as an independent product, the integrated units may be stored in a computer-readable storage medium. Based on such an understanding, the technical solutions of the present invention essentially, or the part contributing to the prior art, or all or a part of the technical solutions may be implemented in a form of a software product. The computer software product is stored in a storage medium and includes several instructions for instructing a computer device (which may be a personal computer, a server, or a network device) to perform all or a part of the steps of the methods described in the embodiments of the present invention. The foregoing storage medium includes: any mediums that can store program code, such as a USB flash drive, a removable hard disk, a read-only memory (ROM), a random access memory (RAM)), the terminal device is enabled to implement operations comprising: 
 	selecting, by the terminal device, the access network element corresponding to the address information to initiate a tunnel authentication procedure ( par 0095  data security channel of an S2c tunnel is established or updated according to a trust relationship of access of the user equipment, i.e. by the terminal device ), wherein the tunnel authentication procedure is a procedure to authenticate whether the terminal device can access a core network by using a tunnel technology ([0092] 802. After the PDN-GW receives the binding update request message, the PDN-GW determines whether an S6b session of the UE already exists or a security association has been established with the UE. If the S6b interface session of the UE already exists or a security association has been established with the UE, it indicates that the PDN-GW has previously requested an AAA server to perform authentication and authorization for the UE; in this case, the PDN-GW sends an authorization request message to the AAA server. The authorization request message includes a UE identity and further includes a network identifier. The network identifier includes one or more of the following types of information: an access network identifier, a security mechanism that is used in an access network, an access type; in the case of a roaming scenario, a visited network identity is further included).  

 	 Li does not explicitly discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element.

 	However, Murphy discloses receiving, by a terminal device in an access authentication process, response information of access authentication information from an access network element, wherein the access authentication process is to authenticate whether the terminal device can access an access network, and wherein the response information comprises address information of the access network element  (Coll 10, lines 7-35,    As a first step after booting up, a network node (e.g., an access point, an access network node, an aggregation network node) can be automatically authenticated. Specifically, the network node can be configured to send a first authentication message to a second network node (e.g., an access network node, an aggregation network node, a core network node) directly coupled to the network node, which has been configured and functioning as a network element of the homogeneous enterprise network 200. The first authentication message can be a message that requests the network node to be authenticated as a network element of the homogeneous enterprise network 200. In response to receiving the first authentication message, if the second network node is capable of authenticating the network node (e.g., an authentication server, not shown in FIG. 2), the second network node can be configured to generate and send a second authentication message to the network node, which authenticates the network node based on the first authentication message. Claim 1, the transceiver configured to receive a second discovery message, responding based on the first discovery message, the processor configured to identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message, the processor configured to set up, create, a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node and  The network node is configured to be authenticated based on the second authentication message.  and The network node is configured to be authenticated based on the second authentication).

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.
 	
 	
 	As per claim 20, Li in view of Murphy discloses the non-transitory computer readable storage medium according to claim 16, Li discloses wherein the access network is a trusted non-3rd Generation Partnership Project (3GPP) access network( par 0033 the PDN-GW needs to learn whether access of the current UE is performed by using the trusted non-3GPP access network, untrusted non-3GPP access network, or 3GPP access network. This is a precondition for correctly establishing or updating a data security channel of an S2c tunnel, and especially when the UE accesses the EPC via the S2c interface after handing over between the trusted non-3GPP access network, 3GPP access network, and untrusted non-3GPP access network, the PDN-GW needs to distinguish an access scenario, so as to complete correct establishment or update of the data security channel.).  

 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, because doing so would provide a control-plane tunnel to the core network node based on the address of the access point and the address for the core network node.



 Claims 4,12 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Li  US 2014/0245403 in view of Murphy et al US 9,667,485 in view of Eronen et al US 2006/0253703.

As per claim 4, Li in view of Murphy disclose the method according to claim 1 , further comprising: Li discloses the access network element authenticate the terminal device( par 0095 where the trust relationship is indicated in an authorization response message of the authentication and authorization device )
 	 But does not explicitly disclose sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information.  
 	 However, Eronen discloses sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information (fig.4,par 0073 In IKE authentication phase security entity 304 sends IKE_AUTH message comprising mobile node 300 identity MS-Id, a value that authenticates mobile node 300 and verifies that mobile node 300 was the sender of the earlier IKE_SA_INIT message, algorithms proposed by mobile node 300 for authentication and a traffic specification, which provides information on source and destination IP addresses for the security association).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, based on the teaching of sending the MS-ID of the mobile device to the Gateway of Eronen, because doing so would provide establishing of Security Associations (SA) between a pair of hosts( par 0005).

 	As per claim 12, Li in view of Murphy disclose the apparatus according to claim 9, wherein the operations further comprise: Li discloses the access network element authenticate the terminal device( par 0095 where the trust relationship is indicated in an authorization response message of the authentication and authorization device )
 But does not explicitly disclose sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information.  
 	 However, Eronen discloses sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information (fig.4,par 0073 In IKE authentication phase security entity 304 sends IKE_AUTH message comprising mobile node 300 identity MS-Id, a value that authenticates mobile node 300 and verifies that mobile node 300 was the sender of the earlier IKE_SA_INIT message, algorithms proposed by mobile node 300 for authentication and a traffic specification, which provides information on source and destination IP addresses for the security association).
 	 Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, based on the teaching of sending the MS-ID of the mobile device to the Gateway 314 of Eronen, because doing so would provide establishing of Security Associations (SA) between a pair of hosts( par 0005).

 	As per claim 19, Li in view of Murphy disclose The non-transitory computer readable storage medium according to claim 16, wherein the operations further comprise: Li discloses the access network element authenticate the terminal device( par 0095 where the trust relationship is indicated in an authorization response message of the authentication and authorization device )
 	 But does not explicitly disclose sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information.  
 	 However, Eronen discloses sending, by the terminal device, the access authentication information to the access network element, wherein the access authentication information is extensible authentication protocol (EAP) information (fig.4,par 0073 In IKE authentication phase security entity 304 sends IKE_AUTH message comprising mobile node 300 identity MS-Id, a value that authenticates mobile node 300 and verifies that mobile node 300 was the sender of the earlier IKE_SA_INIT message, algorithms proposed by mobile node 300 for authentication and a traffic specification, which provides information on source and destination IP addresses for the security association).
 	Therefore, it would have been obvious before the effective filing date of the claimed invention to implement the claimed invention by modifying a method of authentication of user of Li, based on the teaching of using the identify an address. i.e. address information, of the access point, i.e. access network element, and an address of the core network node based on the second discovery message of Murphy, based on the teaching of sending the MS-ID of the mobile device to the Gateway  of Eronen, because doing so would provide establishing of Security Associations (SA) between a pair of hosts( par 0005).



 					Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Bachmann et al US 2011/0216743. [0012] When the mobile terminal is active in a non-3GPP access network, there is a local IP address used to route packets to the mobile terminal in the non-3GPP access. This IP address is the Care-of Address in the terminology of Mobile IP. In case of DSMIPv6, the address is assigned to the mobile terminal, and the mobile terminal is sending Binding Updates using its Care-of address to the PDN-GW, which has the function of the Home Agent (HA). In case of PMIPv6, the Care-of address is an address of a Mobile Access Gateway (MAG) that is located in the non-3GPP access network, and the MAG is sending Proxy Binding Updates using its (Proxy-) Care-of Address to the PDN-GW of the 3GPP network, which has the function of the Local Mobility Anchor (LMA).

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABU S SHOLEMAN whose telephone number is (571)270-7314. The examiner can normally be reached EST: 9am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JORGE ORTIZ CRIADO can be reached on 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABU S SHOLEMAN/Primary Examiner, Art Unit 2496