DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

                                                      Examiner’s Amendment
2.	An examiner’s amendment to the record appears below. Should the changes and/or
additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR
1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the
payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with
Applicant’s representative, Meng Pua (Reg. No.: 63,167) has agreed and authorized the
Examiner to amend claims 1, 4-5, and 11-12; cancel claims 2-3, 8-10, and 13-14.

The application has been amended as follows:

                                                                Claims

1. (Currently Amended) A method for access control, comprising:
performing, by a user equipment, network layer mutual authentication with a local service center when the user equipment needs to access a network; and
performing, by the user equipment, access layer mutual authentication with an access point of a corresponding access points group after the network layer mutual authentication is passed, so that the user equipment accesses the access points group after the access layer mutual authentication is passed;
wherein the access point of the corresponding access points group is determined by the local service center after the network layer mutual authentication is passed;
wherein performing, by the user equipment, access layer mutual authentication with the access point of the corresponding access points group, comprises:
authenticating, by the user equipment, a network according to an access layer authentication request message comprising an access points group identifier and an access layer authentication parameter and transmitted by a target access point in the access points group; and
transmitting, by the user equipment, an access layer authentication request response message comprising the access points group identifier to the target access point after authentication of the network is passed, so that the target access point authenticates the user equipment according to the access layer authentication request response message;
wherein authenticating, by the user equipment, the network according to the access layer authentication request message comprising the access points group identifier and transmitted by the target access point in the access points group, comprises:
determining, by the user equipment, a second authentication token according to a random number in the access layer authentication request message; and
determining, by the user equipment, that the authentication of the network is passed if the second authentication token and a first authentication token in the access layer authentication request message are same. 

2. (Canceled) 
3. (Canceled)
4. (Currently Amended) The method according to claim 1 
determining, by the user equipment, an authentication response parameter according to the random number after the authentication of the network is passed; and
transmitting, by the user equipment, the access layer authentication request response message comprising the access points group identifier and the authentication response parameter to the target access point, so that the target access point authenticates the user equipment according to the access points group identifier and the authentication response parameter.
5. (Currently Amended) A method for access control, comprising:
performing, by a local service center, network layer mutual authentication with a user equipment after receiving an access request message from the user equipment;
determining, by the local service center, an access points group corresponding to the user equipment after determining that the network layer mutual authentication with the user equipment is passed; and
instructing, by the local service center, an access point of the access points group to perform access layer mutual authentication with the user equipment, so that the access points group allows the user equipment to access the access points group after the access layer mutual authentication is passed;
wherein instructing, by the local service center, the access point of the access points group to perform access layer mutual authentication with the user equipment, comprises:
determining, by the local service center, a target access point in the access points group; and
instructing, by the local service center, the target access point to perform access layer mutual authentication with the user equipment;
wherein instructing, by the local service center, the target access point to perform access layer mutual authentication with the user equipment, comprises:
transmitting, by the local service center, to the target access point an access points group identifier corresponding to the access points group and an access layer authentication parameter corresponding to the user equipment, so that the target access point performs access layer mutual authentication with the user equipment according to the access points group identifier and the access layer authentication parameter;
wherein authenticating, by the local service center, the user equipment according to the network layer authentication request response message transmitted by the user equipment, comprises:
determining, by the local service center, that authentication of the user equipment is passed if an authentication response parameter comprised in the network layer authentication request response message and an expected response parameter in the network layer authentication parameter are same.

8. (Canceled)
9. (Canceled) 
10. (Canceled) 
11. (Currently Amended) The method according to claim [[10]] 5, wherein the local service center determines the access layer authentication parameter corresponding to the user equipment by:
obtaining the access layer authentication parameter corresponding to the user equipment from a network service center; or
determining the access layer authentication parameter corresponding to the user equipment, according to a network layer authentication parameter corresponding to the user equipment, and the access points group identifier.

12. (Currently Amended) A method for access control, comprising:
receiving, by an access point, from a local service center an access layer authentication parameter corresponding to a user equipment, wherein the access layer authentication parameter is transmitted by the local service center after the local service center determines that network layer mutual authentication with the user equipment is passed; and
performing, by the access point, access layer mutual authentication with the user equipment, and allowing the user equipment to access the access point of a corresponding access points group after determining that the access layer mutual authentication with the user equipment is passed;
wherein performing, by the access point, access layer mutual authentication with the user equipment corresponding to the access layer authentication parameter, comprises:
transmitting, by the access point, an access layer authentication request message comprising an access points group identifier and the access layer authentication parameter to the user equipment, so that the user equipment authenticates a network according to the access layer authentication request message; and
authenticating, by the access point, the user equipment according to an access layer authentication request response message if the access point receives from the user equipment the access layer authentication request response message comprising the access points group identifier;
wherein authenticating, by the access point, the user equipment according to the access layer authentication request response message comprising the access points group identifier and transmitted by the user equipment, comprises:
determining, by the access point, that authentication of the user equipment is passed if an authentication response parameter comprised in the access layer authentication request response message and an expected response parameter in the access layer authentication parameter are same.

13. (Canceled) 
14. (Canceled)







                                     Examiner’s Statement of Reasons for Allowance

3. 	Claims 1, 4-7, 11-12, and 29-31 are allowable.
The following is an Examiner’s statement of reasons for allowance:
An access control method and device, for use in resolving the problem in the prior art that a user equipment cannot securely access an access point group (APG).  When a user equipment needs to access a network, the user equipment conducts network-layer two-way authentication with a local service center; after the network-layer two-way authentication succeeds, the user
equipment conducts access-layer two-way authentication with a corresponding APG so as to
enable the user equipment to access the corresponding APG after the access-layer two-way
authentication succeeds.  The present invention uses dual-layer two-way authentication, and enables the user equipment to access a corresponding APG after the dual-layer two-way authentication succeeds, so that the user equipment can securely access the corresponding APG. 
The closest prior art is Targali et al. (2013/0298209) discloses a persistent security association between the UE and the IdP is created at any layer of a communications stack. The security association is created at the application layer. Phase 1 is implemented over a first network, such as a cellular network or a WLAN for example. For example, phase 1 implements application layer authentication between the UE and the IdP. The application layer authentication may result in the derivation of one or more keys, such as a ciphering key and/or an integrity key, which may be used to create a Master Key (MK). The application layer authentication may be implemented in accordance with various protocols such as GBA, OpendID, OpenID Connect, or the like, or in accordance with a network layer authentication such as EAP. At 60 (phase 2), authentication occurs between the UE and the IdP. Such authentication may be at the access, network, or application layer. An identity of a second network that is different than the first network is discovered during phase 2. For example, the second network may be a WLAN network or a hotspot network. Such an identity may comprise the identity of local network node. Thus, the local network node may be part of a WLAN or a hotspot network. Keys are generated at phase 2, such as a master session key (MSK) or an EMSK for example, which are specific to the authentication mechanisms used by the second network. The keys may be bound to the UE and the second network. Phase 2 may be implemented using various messaging protocols, such as HTTP messages at the application layer or EAP messages at the network layer for example. The access layer authentication in phase 2 may be implemented in accordance with EAP, EAP-AKA/TLS, or the like.
The prior art of Targali et al. (2013/0298209) does not disclose or suggest, “transmitting, by the user equipment, an access layer authentication request response message comprising the access points group identifier to the target access point after authentication of the network is passed, so that the target access point authenticates the user equipment according to the access layer authentication request response message; wherein authenticating, by the user equipment, the network according to the access layer authentication request message comprising the access points group identifier and transmitted by the target access point in the access points group, comprises: determining, by the user equipment, a second authentication token according to a random number in the access layer authentication request message; and determining, by the user equipment, that the authentication of the network is passed if the second authentication token and a first authentication token in the access layer authentication request message are same” of claim 1. 
The closest prior art is Lee et al. (2017/0078874) discloses the SKMF may mutually authenticate with a user equipment. The SKMF may derive a session key (e.g., K.sub.ASME) for use in communicating with a UE connected to an MME. The SKMF may send the session key, for the UE, to the MME. Mutually authenticating with the UE may include the SKMF forwarding a request to an HSS for authentication information for the UE. The authentication information may include authentication vectors (AVs) for the UE. Mutually authenticating with the UE may further include the SKMF receiving an authentication response from the UE. An authentication vector may include an expected response (XRES), an authentication value (AUTN), a random number (RAND), and the first session key (e.g., K.sub.SKMF). The AUTN may be based on a sequence number and a secret key (SK) which the UE shares with the HSS.
Lee et al. (2017/0078874) does not disclose or suggest, “transmitting, by the local service center, to the target access point an access points group identifier corresponding to the access points group and an access layer authentication parameter corresponding to the user equipment, so that the target access point performs access layer mutual authentication with the user equipment according to the access points group identifier and the access layer authentication parameter; wherein authenticating, by the local service center, the user equipment according to the network layer authentication request response message transmitted by the user equipment, comprises: determining, by the local service center, that authentication of the user equipment is passed if an authentication response parameter comprised in the network layer authentication request response message and an expected response parameter in the network layer authentication parameter are same” of claim 5.
The closest non-patent literature of Bhakti (Title: EAP-based Authentication with EAP Method Selection Mechanism: Simulation Design) teaches there are two types of EAP model specified in, they are: pass through behavior model and multiplexing model. In pass through behavior model, there are three entities involved in EAP authentication, i.e. Supplicant, Authenticator, and Authentication Server, are reside in three separated devices. Supplicant resides in wireless client stations, authenticator resides in access points, and authentication server resides in AAA (Authentication, Authorization, and Accounting) servers, such as RADIUS and DIAMETER. The authenticator will act only as a pass-through device. This model is the most common model used in EAP implementation in wireless LAN. 
The non-patent literature of Bhakti does not teach or suggest, “authenticating, by the access point, the user equipment according to an access layer authentication request response message if the access point receives from the user equipment the access layer authentication request response message comprising the access points group identifier; wherein authenticating, by the access point, the user equipment according to the access layer authentication request response message comprising the access points group identifier and transmitted by the user equipment, comprises: determining, by the access point, that authentication of the user equipment is passed if an authentication response parameter comprised in the access layer authentication request response message and an expected response parameter in the access layer authentication parameter are same” of claim 12.
Any comments considered necessary by applicant must be submitted no later than the
payment of the issue fee and, to avoid processing delays, should preferably accompany
the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons
for Allowance."


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




4/27/2022
/JJ/

/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439