DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This action is responsive to an amendment filed on 01/28/2022.
Claims 1, 5, 10, 14, 16 and 20 have been amended.
Claims 2, 11 and 17 have been canceled.
Claims 1, 3-10, 12-16 and 18-20 are pending.

Response to Arguments
Applicant's arguments filed 01/28/2022, with respect to the rejection of the pending claims under 35 U.S.C. §103 have been fully considered but they are not persuasive.
Applicant argues that Dubuc does not disclose that the response received on successful authentication of the IoT device includes "a first attribute indicative of a network address of a remote server to connect with the IoT device" (Rem./Arg. Page 7).
Examiner respectfully disagrees. Dubuc teaches after successfully authenticate user device, RADIUS server return an interface name, a VLAN identifier, a VLAN name or a VDOM name within a Vendor-Specific attribute (VSA) of the RADIUS Access-Accept response packet. The value of the VSA provided in the RADIUS Access-Accept response packet may then be used to establish a routing entry to forward traffic from the user's source IP address to an identified destination VLAN [¶ 0071]. Dubuc also teaches a routing table include at least a destination field, identifying the IP address of the packet's final destination [¶ 0081]. Dubuc further teaches the phrase "virtual local area network" (VLAN) refers to a logical grouping of workstations, servers on one or more local area networks (LANs) [¶ 0041]. Thus, given the broadest reasonable interpretation, Examiner considers a VLAN identifier as a network address of a remote server. 
Applicant further argues that Dubuc nowhere discloses such a mapping between MAC of the IoT device and network address or IP address of a remote server. (Rem./Arg. Page 8)
However, Examiner added prior art., Yu, to teach this limitation, see the newly crafted rejection, infra.
Applicant further argues that Dubuc does not teach "generating[. . .] a firewall role for the lo T device based on a combination of an Internet Protocol (IP) address of the lo T device and the first attribute". (Rem./Arg. Page 8)
Examiner respectfully disagrees. Dubuc teaches the gateway adds a firewall policy specifically for the source IP address associated with the now authenticated user device. ….The value of the VSA [i.e., the first attribute] provided in the RADIUS Access-Accept response packet may then be used to establish a routing entry to forward traffic from the user's source IP address to a gateway interface associated with an identified destination VLAN [i.e., remote destination server]. 
Applicant further argues that the IoT rules of Zou may be specific for an IoT device ( See paragraph 0053 of Zou). However, the IoT rules or IoT firewall of Zou is not generated "based on a combination of an Internet Protocol (IP) address of the lo T device and the first attribute'' as recited in the claim 1. (Rem./Arg. Page 9).
However, Examiner relied on Zou to teach only the limitation, “…firewall role is indicative of a permission to exchange a specific type of data traffic between the IoT device and the remote server”. Zou teaches an IoT firewall includes IoT rules for transmission of data through a private cloud in managing the IoT devices. IoT rules can include what IoT devices can be onboarded or authenticated, what types of data are allowed to be transferred through a private cloud for managing and onboarding IoT devices, what destinations [i.e. remote server] IoT devices are allowed to send data to and receive data from [¶ 0053]. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 3, 5-7, 10, 12, 14-16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2019/0089704 (Nagaraju et al.) in view of US 2008/0028445 (Dubuc et al.).

Regarding Claim 1, Nagaraju teaches a method for authentication and firewall enforcement for an Internet of Things (IoT) device coupled to a network device ([⁋ 0010], teaches authenticates an IoT device by sending MAC address of the IoT device to an authentication server), the method comprising: sending, by the network device to an authentication server, a request to authenticate the IoT device, the request including a Media Access Control (MAC) address of the IoT device ([⁋ 0019-0020], determine, in response to a device joining a network, a media access control (MAC) address of device. …the device  may include an IoT device…send the MAC address to an authentication server for authenticating the MAC address . [see also, ⁋⁋ 0027, 0030]);
receiving, by the network device from the authentication server, a response indicative of successful authentication of the IoT device based on the MAC address, wherein the response includes a first attribute ([⁋ 0010], In response to the authentication request, receive a Vendor Specific Attribute (VSA) associated with the MAC address from the authentication server. [⁋ 0021]. Once the MAC address is authenticated by authentication server, authentication server may provide the VSA associated with the MAC address. [see also, ⁋⁋ 0027, 0030, Fig. 4, instruction 410, ⁋ 0031];
Nagaraju does not explicitly teach, however, Dubuc teaches first attribute indicative of a network address of a remote server to connect with the user device [e.g., IoT device] ([⁋ 0053], during authentication with a authentication server one or more authentication attributes may be returned by the authentication server to facilitate routing of an end user traffic flow. For example, information regarding a destination virtual network, such as a destination VLAN can be returned by the authentication server. [⁋ 0071], successful authentication by a RADIUS server may cause the RADIUS server to return an interface name, a VLAN identifier [i.e., network address of a remote server], a VLAN name or a VDOM name within a Vendor-Specific attribute (VSA) of the RADIUS Access-Accept response packet); generating,  by the network  device,  a firewall role for the IoT device based on a combination of an Internet Protocol (IP) address of the IoT device and the first attribute  ([⁋ 0053], during authentication with a authentication server one or more authentication attributes may be returned by the authentication server to facilitate routing of an end user traffic flow. For example, information regarding a destination virtual network, such as a destination VLAN can be returned by the authentication server and then used by a network device to install a policy route from the client's source IP address [e.g., IP address of the IoT device] to the desired virtual network. [Fig. 2, ⁋⁋ 0070-0071], At decision block 225, the gateway waits for the authentication result from the authentication process. If the authentication is successful, processing continues with block 230. At block 230, the gateway adds a firewall policy specifically for the source IP address associated with the now authenticated user thereby granting the user access through the gateway. At block 235, a specific routing entry may be created within the gateway for the authenticated user's source IP address ….The value of the VSA provided in the RADIUS Access-Accept response packet may then be used to establish a routing entry to forward traffic from the user's source IP address to a gateway interface associated with an identified destination VLAN. [⁋ 0073] At block 245, If authentication was successful, subsequent traffic from the source IP address associated with the authenticated user will be forwarded to the VLAN identified based on the authentication response); controlling, by the network device, data traffic between the IoT device and the remote server based on policies defined in the generated firewall role ([¶ 0080] the firewall matches the intercepted connection request from the remote client against the policy table to determine whether to allow, block or authenticate the connection request. [¶ 0081], routing table contains a set of rules that are used to determine where data packets originated by the remote client will be directed. …the routing table include at least a destination field, identifying the IP address of the packet's final destination, …should be used when forwarding the packet to the final destination).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nagaraju with Dubuc in order to add a firewall policy for granting access of a particular device based on the IP address of the device and the destination as taught by Dubuc, because it would have enabled the system to assist traffic forwarding/routing form distinct device based on the authentication results [Dubuc, ⁋ 0004].
While, Dubuc teaches an attribute-to-interface table that represents a mapping of attribute values (e.g., VLAN-name, VLAN-id, VDOM-name, interface-name, etc.) that may be returned with successful authentication responses, however, Nagaraju in view of Dubuc do not explicitly teach, but Yu teaches wherein the IoT device is authenticated based on a predefined mapping that links the MAC address of the IoT device with the first attribute ([Page 4, para. 2-4] received a request for accessing a certain website, triggers the authentication server to perform MAC authentication on the MAC address 1_1 that is the MAC address of the user… the authentication server authenticates the MAC address 1_1 and sends an authorized Virtual Switch Instance (VSI) corresponding to the user, a Uniform Resource Locator (URL) and an ACL policy when the authentication passes. …the ACL entry includes the MAC address 1_1 and the URL [i.e., the first attribute], and the ACL entry is used to redirect the network access request carrying the MAC address 1_1 to the corresponding URL).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nagaraju and Dubuc with Yu in order to map the MAC address of the user  device and the URL of the destination  in a ACL as taught by Yu, because it would have enabled the system to control the transfer of data between a device and a specific destination.
Nagaraju in view of Dubuc and Yu do not explicitly teach, but Zou teaches wherein the firewall role is indicative of a permission to exchange a specific type of data traffic between the IoT device and the remote server ([¶ 0053] an IoT firewall includes IoT rules for transmission of data through a private cloud in managing the IoT devices. IoT rules can include what IoT devices can be onboarded or authenticated, what types of data are allowed to be transferred through a private cloud for managing and onboarding IoT devices, what destinations [i.e. remote server] IoT devices are allowed to send data to and receive data from).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nagaraju, Dubuc and Yu with Zou in order to  implementing a firewall rule specifying which type of data are allowed to be sent as taught by Zou, because it would have enabled the system to implement proper rules for forwarding message based on the implementation-specific consideration of  IoT device [Zou, ⁋ 0063].

Regarding Claim 3, Nagaraju in view of Yu and Zou do not explicitly teach, however, Dubuc teaches the method of claim 1, wherein the response includes a second attribute indicative of a predefined Virtual Local Area Network (VLAN) for grouping the IoT device [⁋ 0071], successful authentication by a RADIUS server may cause the RADIUS server to return an interface name, a VLAN identifier, a VLAN name or a VDOM name within a Vendor-Specific attribute (VSA) of the RADIUS Access-Accept response. [Fig. 1, ⁋ 0044], Each subscriber [e.g., IoT device] has a corresponding virtual local area network (VLAN) (i.e., Customer A VLAN 111, Customer B VLAN 112, Customer C VLAN 113 and Customer D VLAN 114) within the co-location network 110 with which the customer's telecommunications and/or network equipment is associated).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nagaraju with Dubuc in order to includes VLAN information in the authentication response message to grouping the user device as taught by Dubuc, because it would have enabled the system to grouping devices based on the type of device or user [Dubuc, ⁋ 0041].

Regarding Claim 5, while, Nagaraju teaches Authentication server may include a profile for device 114. …a Vendor Specific Attribute (VSA) may be associated with the MAC address of device 114. …the VSA may be associated with the MAC address of device 114 in a profile of device 114 on authentication server 118 [⁋ 0020], however, Nagaraju does not explicitly teach, but Dubuc teaches  the method of claim 3, wherein the predefined mapping links the IP address [not MAC address] of the IoT device with the second attribute ([¶ 0054], a policy route from the client's source IP address to the virtual network. [⁋ 0082], the attribute-to-interface table represents a mapping of attribute values (e.g., VLAN-name [i.e., second attribute], VLAN-id, Vdom-name, interface-name, etc. that may be returned with successful authentication responses. Therefore, it would be appreciated that Dubuc mapping the IP address of the client’s device with the VLAN).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Dubuc in order to map the device ID with the Vendor-Specified attributes to provide information with the authentication response as taught by Dubuc, because it would have enabled the system to implement proper rules for forwarding message from the particular device.
While, Dubuc mapping client IP address, however, Nagaraju in view of Dubuc and Zou do not explicitly teach, but Yu teaches mapping MAC address of the device ([Page 4, para. 4]…the ACL entry includes the MAC address 1_1 and the URL [i.e., the first attribute], and the ACL entry is used to redirect the network access request carrying the MAC address 1_1 to the corresponding URL).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nagaraju and Dubuc with Yu in order to using MAC address of a device to map with it’s destination as taught by Yu, because it would have enabled the system to identify the device correctly.


Regarding Claim 6, Nagaraju teaches the method of claim 3, wherein the first and second attributes are Vendor- specific attributes included in the response ([⁋ 0010], In response to the authentication request, receive a Vendor Specific Attribute (VSA) associated with the MAC address from the authentication server. [⁋ 0021]. Once the MAC address is authenticated by authentication server, authentication server may provide the VSA associated with the MAC address. [see also, ⁋⁋ 0027, 0030, Fig. 4, instruction 410, ⁋ 0031].

Regarding Claim 7, Nagaraju teaches the method of claim 1, wherein the request is a Remote Authentication Dial-In User Service (RADIUS): Access-Request message and the response is a RADIUS: Access-Accept message ([⁋ 0020], authentication server 118 may include a Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS server may refer to an authentication server 118 that operates according to the RADIUS protocol. [⁋ 0027], send the MAC address to a Remote Authentication Dial-In User Service (RADIUS) server. In response, receive a Vendor Specific Attribute (VSA) associated with the MAC address from the RADIUS server.

Regarding Claim 10, Nagaraju teaches an access point (AP) comprising: a processor; and a memory coupled to the processor, the memory storing  instructions executable by the processor ([Fig. 4, 0031], Internet of Things (IoT) device on a network switch. …includes a processor 402 and a machine-readable storage medium 404 communicatively coupled…processing logic that interprets and executes machine-readable instructions stored in machine-readable storage medium).
The rest of the limitations of Claim 10 are rejected under the same rationale of Claim 1.

Claims 12, 14 and 15 are rejected under the same rationale of Claims 3, 5 and 7, respectively.

Regarding Claim 16, Nagaraju teaches a non-transitory computer-readable medium comprising computer-readable instructions, the computer-readable instructions when executed by a processor, cause the processor to ([Fig. 4, 0031] … machine-readable storage medium may be a non-transitory machine-readable medium. Machine-readable storage medium 404 may store instructions 406, 408, 410, 412, and 414. …instructions may be executed by processor 402 to…).
The rest of the limitations of Claim 16 are rejected under the same rationale of Claim 1.

Claims 18  and 20 are rejected under the same rationale of Claims 3 and 5, respectively.

Claims 4, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Nagaraju in view of Dubuc, Yu and Zou, further in view of US 2016/0381030 (Chillappa et al.).

Regarding Claim 4, while Dubuc teaches the method of claim 3, further comprising: associating, by the network device, the subscriber with the predefined VLAN ([Fig. 1, ⁋ 0044], each subscriber has a corresponding virtual local area network (VLAN) (i.e., Customer A VLAN 111, Customer B VLAN 112, Customer C VLAN 113 and Customer D VLAN 114) within the co-location network 110 with which the customer's telecommunications and/or network equipment is associated and monitoring resources associated with the co-location network 110 within which customer VLAN located [Fig. 1, ⁋ 0049], however, Nagaraju in view of Dubuc do not explicitly teach, but, Chillappa teaches, associating, by the network device, the IoT device with the predefined VLAN ([⁋ 0008], …creating a virtual local area network (VLAN) with restricted privileges on the local area network, and isolating the corresponding IoT device in the VLAN. …various IoT devices are isolated in specific ones of the VLANs based on their reputation scores); and monitoring, by the network device, performance characteristics of the IoT device based on the association with the predefined VLAN ([Fig. 3, ⁋ 0032], a constraint profile 301 for an unknown IoT device 123 can direct the router component 123 to segregate the given device 123 to a separate VLAN 309, monitor all attempts by the IoT device 123 to communicate with other devices. Over time as the IoT device 123 becomes known and specific communications it executes are deemed legitimate, the constraint profile 301 can be updated for running the IoT device 123 in a less restrictive VLAN 309, but the router component 121 continues to monitor the device. [⁋ 0035], the default constraint profile 301 for an unknown device 123 indicates to isolate the device 123 in a separate VLAN 309, monitor its communications and other behaviors, and report all monitored information to the backend component).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Chillappa in order to  isolating IoT devices in specific VLAN to monitor the IoT devices activity and behaviors  in that VLAN as taught by Chillappa, because it would have enabled the system to grouping the IoT devices to properly monitoring a particular types of IoT devices in a particular group.

Claims 13  and 19 are rejected under the same rationale of Claim 4.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Nagaraju in view of Dubuc, Yu and Zou, further in view of US 2019/0089813 (Choi et al.).

Regarding Claim 8, Nagaraju in view of Dubuc, Yu and Zou do not explicitly teach, however, Choi teaches, the method of claim 1, wherein the IoT device is an IoT dongle coupled to the network device through a Universal Serial Bus (USB) port of the network device ([⁋ 0027], a model of a newly-launched product according to performances, and the user may be provided with an option for the IoT function via the dongle. [⁋ 0075], a dongle is connected to a device via a USB connector).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Choi in order to  use a USB dongle to provide an IoT function as taught by Choi, because it would have been an advantageous addition to use a dongle to provide IoT function for a device not supporting IoT function to a home network [Choi, ⁋ 0005].

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Nagaraju in view of Dubuc, Yu and Zou, further in view of US 2017/0180380 (Bagasra).

Regarding Claim 9, Nagaraju in view of Dubuc, Yu and Zou do not explicitly teach, however, Bagasra teaches the method of claim 1, wherein the IP address is assigned to the IoT device using Dynamic Host Configuration Protocol (DHCP) ([Fig. 1, ⁋ 0029] DHCP server 140 implement the DHCP protocol for assigning an IP address to a requesting IoT device 105. [Fig. 4, ⁋ 0036], PGW 315, using the DHCP protocol, assigns 405 an IP address to IoT device 105).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate Bagasra in order to  assign IP address of an IoT device using DHCP server as taught by Bagasra, because it would have ensure providing a reliable IP address to the IoT device without any address conflict caused by the assignment of an IP address.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMAD YOUSUF A MIAN whose telephone number is (571)272-9206. The examiner can normally be reached Monday-Friday 9am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PETER-ANTHONY PAPPAS can be reached on 571-272-7646. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
/LANCE LEONARD BARRY/Primary Examiner, Art Unit 2448                                                                                                                                                                                                        


/MOHAMMAD YOUSUF A. MIAN/Examiner, Art Unit 2448