Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 9/21/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 1 and 15 are objected to because of the following informalities: the claims recite “in response to exchanging link layer authentication packets resulting  authorization of the client,” and should recite “in response to exchanging link layer authentication packets resulting in authorization of the client,” 
Claims 7 and 13 are objected to because of the following informalities: the claims recite “the Internet” with no prior reference (antecedent basis) to an Internet.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 15-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because the program product does not exclude transitory signals and could be software per se.  Specification [0020] discloses the computer readable storage medium may be a storage device.  Specification [0016] discloses the storage device may be tangible, non-transitory.  Thus it may be transitory.  The rejection can  be overcome by claiming “a non-transitory computer readable storage medium”

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-5, 7, 10-13 and 15-18 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Borapura (8,584,209).

Regarding claim 1, Borapura teaches
a method comprising: 
receiving, at an edge network access node and over a local area network ("LAN"), a link layer authentication packet from a client using a remote network access server ("NAS") agent running on the edge network access node, (Borapura, Col 3, lines 7-10, As described herein, an authentication proxy application (hereinafter referred to as a "proxy application") may enable a layer-two network node to authenticate a client device Col 4, lines 46-49, In one example, node 110 may communicate with client device 120 using an extensible authentication protocol (e.g., EAP or EAP over a local area network (EAPOL)) the link layer authentication packet indicating that the client is seeking network access through the edge network access node; (Borapura, Col 5, lines 27-29,  Client device 120 may send an access request to node 110)  (Examiner Note: authentication proxy application reads on remote NAS agent, node 110 reads on edge access device)
transmitting, over a network different from the LAN, the link layer authentication packet to a remote NAS for processing in a link layer authentication process, wherein the link layer authentication packet is transmitted to the remote NAS using a tunneling connection, (Borapura, Col 3, lines 11-16, The proxy application may communicate, on behalf of the client device, with an authentication gateway network node, using a layer-two tunneling protocol to perform the authentication operation)wherein the link layer authentication process exchanges the link layer authentication packet with an authentication server to authenticate the client;  (Borapura, Col 3, lines 16-19, The authentication gateway network node may receive credentials associated with the client device, via the layer-two tunneling protocol, and may communicate with the authentication server,) 
receiving a link layer authentication packet from the remote NAS over the tunneling connection, the received link layer authentication packet comprising a response from the authentication server regarding the transmitted link layer authentication packet; (Borapura, Col 6, lines 19-25, Authentication server 140 may, for example, receive a request (e.g., from gateway node 130) for authentication services and may use the information associated with client device 120, obtained from the request, to determine whether to authenticate client device 120. Authentication server 140 may send a notification to node 110 indicating whether client device 120 was authenticated  Col 3, lines 16-19 tunneling protocol)
transmitting the received link layer authentication packet to the client; and (Borapura, Col 10, lines 56-59, The proxy application may send the success/failure notification, as success/failure 470, to client device 120 using the layer-two authentication protocol (e.g., EAP).)
in response to exchanging link layer authentication packets resulting (in) authorization of the client, authorizing the client for network access through the edge network access node (Borapura, Col 10, lines 40-45, The proxy application may, in response to an accept notification, establish an authentication session with client device 120. The proxy application may, for example, establish the authentication session for a period of time during which client device 120 is authorized to communicate with network 100.)

Regarding claim 2, Borapura teaches
the method of claim 1, wherein the link layer authentication process executing on the remote NAS comprises a same link layer authentication process executable on an edge network access node in communication with an authentication server (Borapura, Col 6, lines 15-19,  In one example, authentication server 140 may be capable of communicating with gateway node 130 using a layer-two and/or layer-three authentication protocol (e.g., EAP, EAPOL, RADIUS protocol, etc.) when performing authentication operations.)

Regarding claim 3, Borapura teaches
the method of claim 1, wherein the edge network node exchanges link layer authentication packets over a link layer of the LAN (Borapura, Col 5, lines 30-32, Client device 120 may communicate with node 110 using an EAP and/or EAPOL protocol when engaged in authentication operations.  Col 4 lines 31-35, In another implementation, node 110 may host a VLAN (e.g., a private VLAN (PVLAN), etc.), or a set of VLANs, that may be used to process traffic transmitted to and/or received from client device 120, gateway node 130, and/or another node 110.)

Regarding claim 4, Borapura teaches
the method of claim 1, wherein the remote NAS comprises a tunnel terminator that exposes link layer authentication packets transmitted from the edge network access node through the tunneling connection (Borapura, Col 10, lines 1-4, Gateway node 130 may receive response 450, via the layer-two tunnel, and may process response 450 (e.g., by removing headers, trailers, etc. associated with the layer-two tunneling protocol).)

Regarding claim 5, Borapura teaches
the method of claim 1, wherein the tunneling connection comprises a secure connection between the edge network access node and the remote NAS (Borapura, Col 9, lines 41-43, Gateway node 130 may send the other request for challenge information (e.g., the EAP request), as request (via tunnel) 435, to node 110 via the tunnel.)  (Examiner Note: secure connection is interpreted based on specification section [0042] which discloses a tunnel as secure)

Regarding claim 7, Borapura teaches
the method of claim 1, wherein the remote NAS and the authentication server are within a same network domain and wherein the remote NAS is connected to the edge network access node over the Internet  (Borapura, Col 3 lines 50-52, As shown in FIG. 1, network 100 may include a group of network nodes 110-1, . . . , 110-M (where M.gtoreq.1) (hereinafter referred to collectively as "nodes 110" and individually as "node 110"),) (Examiner Note: Internet interpreted as a computer network)

Regarding claim 10, Borapura teaches
a method comprising: 
receiving, at a remote network access server ("NAS") a link layer authentication packet from an edge network access node connected to a client, the link layer authentication packet received from a tunnel terminator of a tunneling connection between the remote NAS and the edge network access node; (Borapura, Col 9, lines 6-8, Gateway node 130 may receive response 420 via the tunnel and may process response 420 to obtain the information associated with client device 120 )
transmitting the link layer authentication packet to an authentication server as part of a link layer authorization process;  (Borapura, Col 9, lines 10-12, Gateway node 130 may send an authentication request, as access request 425, to authentication server 140. Access request 425 may be sent to authentication server 140)
receiving a link layer authentication packet from the authentication server; and (Borapura, Col 9, lines 30-32, Authentication server 140 may send the request for challenge information, as challenge request 430, to gateway node 130 based on the layer-three authentication protocol.)
transmitting the link layer authentication packet received from the authentication server to the edge network access node via the tunneling connection, (Borapura, Col 9, lines 41-43,  Gateway node 130 may send the other request for challenge information (e.g., the EAP request), as request (via tunnel) 435, to node 110 via the tunnel.)
wherein in response to exchanging link layer authentication packets resulting in authorization of the client by the authentication server, the edge network access node authorizes the client for network access through the edge network access node (Borapura, Col 10, lines 33-42, Gateway node 130 may send the success/failure notification, as success/failure (via tunnel) 465, to node 110 via the tunnel.  …  The proxy application may, in response to an accept notification, establish an authentication session with client device 120. The proxy application may, for example, establish the authentication session for a period of time during which client device 120 is authorized to communicate with network 100.)

Regarding claim 11, Borapura teaches
the method of claim 10, wherein the link layer authentication process executing on the remote NAS comprises a same link layer authentication process executable on an edge network access node in communication with an authentication server (Borapura, Col 6, lines 15-19,  In one example, authentication server 140 may be capable of communicating with gateway node 130 using a layer-two and/or layer-three authentication protocol (e.g., EAP, EAPOL, RADIUS protocol, etc.) when performing authentication operations.)

Regarding claim 12, Borapura teaches
the method of claim 10, wherein the tunneling connection comprises a secure connection between the edge network access node and the remote NAS (Borapura, Col 9, lines 41-43, Gateway node 130 may send the other request for challenge information (e.g., the EAP request), as request (via tunnel) 435, to node 110 via the tunnel.)

Regarding claim 13, Borapura teaches 
the method of claim 10, wherein the remote NAS and the authentication server are within a same network domain and wherein the remote NAS is connected to the edge network access node over the Internet  (Borapura, Col 3 lines 50-52, As shown in FIG. 1, network 100 may include a group of network nodes 110-1, . . . , 110-M (where M.gtoreq.1) (hereinafter referred to collectively as "nodes 110" and individually as "node 110"),)

Claims 15-18 are program product claims for the method claims 1-3 and 5 and are rejected for the same reasons as claims 1-3 and 5.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Borapura (8,584,209) in view of Palekar (2003/0226017).

Regarding claim 6, Borapura teaches
the method of claim 5, wherein 
Borapura does not teach the secure connection comprises a Transport Layer Security (“TLS”) connection. 
However Palekar teaches the secure connection comprises a Transport Layer Security (“TLS”) connection (Palekar [0042] The Extensible Authentication Protocol (EAP) is one possible authentication mechanism that can be agreed upon through the use of LCP. Unlike a fixed authentication protocol, EAP allows the precise authentication mechanism to be selected after the PPP link has been established through the use of LCP. One such authentication mechanism that can be agreed upon is the Transport Layer Security (TLS) Protocol. TLS is one example of an authentication protocol that provides an authentication mechanism, as well as support for negotiating an encryption mechanism and providing encryption key exchange.)
	It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Palekar’s TLS on EAP with Borapura’s EAP because doing so provides improved security (Palekar [0008] The Transport Layer Security (TLS) protocol provides a mechanism for encrypting the messages between two endpoints such that a rogue interceptor cannot eavesdrop, intercept, or tamper with the messages)


Claims 8 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Borapura (8,584,209) in view of Hagen (2002/0075844).

Regarding claim 8, Borapura teaches
the method of claim 1, wherein the edge network access node comprises … and the network access node is incapable of running the link layer authorization process without the remote NAS agent  (Borapura, Col 3, lines 7-10, As described herein, an authentication proxy application (hereinafter referred to as a "proxy application") may enable a layer-two network node to authenticate a client device) (Examiner Note: without the proxy application authentication is not enabled).  
Borapura does not teach an application programming interface ("API") that allows the remote NAS to control functionality of the edge network access node.
However Hagen teaches application programming interface ("API") that allows the remote NAS to control functionality of the edge network access node (Hagen [0128] A fifth policy applies if a programmatic interface between the WAPs and the NAS is available. For example, if the WAPs have an API which the NAS can programmatically access and thereby command the WAPs,).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Hagen’s API for access control because doing so improves managing access (Hagen [0003] Still more specifically, the invention relates to a system and method for providing and managing public network access by wireless, mobile terminals using the existing network connection resources of otherwise private networks.)

Claim 19 is a program product claim for the method claim 8 and is rejected for the same reasons as claim 8.

Claims 9 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Borapura (8,584,209) in view of Luo (2003/0169713).

Regarding claim 9, Borapura teaches
the method of claim 1, wherein the remote NAS agent, in response to the authentication server authorizing the client, … authorize the client for network access  (Borapura, Col 10, lines 40-45, The proxy application may, in response to an accept notification, establish an authentication session with client device 120. The proxy application may, for example, establish the authentication session for a period of time during which client device 120 is authorized to communicate with network 100.)
Borapura does not teach modifies a hardware table of the edge network access node
However Luo teaches modifies a hardware table of the edge network access node to authorize the client for network access (Luo [0022]  Every access point maintains a mobile slate table 118 for the mobile hosts that are associating with it or  [0023]  The mobile host's routing state is set to "normal, ""limited," or "blocked." The "normal" state means that the mobile host has been authenticated to the WLAN through the Web interface. )
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Luo’s access point with Borapura’s edge access because doing so improves client options to include wireless devices (Luo, [0018] Once a user is authenticated to the WLAN, his mobile host obtains full IP connectivity and receives secure mobility support from the WLAN. ) and routing tables are a well-known technique for controlling network traffic.

Claim 20 is a program product claim for the method claim 9 and is rejected for the same reasons as claim 9.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Borapura (8,584,209) in view of Alls (2014/0130033).

Regarding claim 14, Borapura teaches
the method of claim 13, 
Borapura does not teach the remote NAS and the authentication server are executing in a same virtual machine.
However Alls teaches the remote NAS and the authentication server are executing in a same virtual machine (Alls, [0030] As used herein, security appliance 312 is any server appliance that is designed to protect computer networks from unwanted traffic. Security appliance 312 uses virtualization, i.e., virtual machine (VM) technology to facilitate operation thereof.  [0034] Security appliance 312 also includes a fourth VM module 310 that acts as an active directory/remote authentication dial-in user service (RADIUS) server configured to facilitate centralized management of security policies)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Alls’ virtual machine security appliance with Borapura’s security service appliances  because doing so improves operations and allows multiple functions in one host (Alls [0030] Security appliance 312 uses virtualization, i.e., virtual machine (VM) technology to facilitate operation thereof).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/               Examiner, Art Unit 2494