Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 7/12/2022 has been entered.
 
This action is in response to the amendment filed 7/12/2022.  Claims 1-20 are pending.  Claims 1 (a machine), 8 (a method) and 15 (a non-transitory CRM) are independent.

Response to Arguments
Applicant’s arguments, see pages 8-9, filed 7/12/2022, with respect to the rejection(s) of claim(s) 1-3, 5, 8-10, 12, 15-17, and 19 under Antich in view of Kshirsagar have been fully considered and are persuasive.  Antich in view of Kshirsagar does not disclose routing instructions that map a plurality of applications to a plurality of VPN/VRF instances. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Barton et al., US 2014/0033271 (filed 2013-10), in view of Antich, US 2015/0271102 (filed 2014-04).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-5, 8-12, and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barton et al., US 2014/0033271 (filed 2013-10), in view of Antich, US 2015/0271102 (filed 2014-04).

	As to claim 1, 8, and 15 Barton discloses a machine/method/CRM comprising: 
one or more processors; and (Barton ¶ 64)
 one or more computer-readable non-transitory storage media coupled to the one or more processors and comprising instructions that, when executed by the one or more processors, (Barton ¶ 64) cause the apparatus to perform operations comprising: 
receiving a user credential from a remote access client within a network; (“In typical operation, a user of the mobile device 810 starts the EMM client 840, logs on to the EMM server 850 via the authentication server 852, and accesses the application store 854.” Barton ¶ 179 and 336. See also ¶ 234. EMM server comprises the auth server in Figure 8. See also a proxy device of Figure 25.)
communicating the user credential to an authentication, authorization and accounting (AAA) server within the network; (“logs on to the EMM server 850 via the authentication server 852, and accesses the application store 854.” Barton ¶ 179 and 336.  “The client device 2505 may communicate with one or more resources 2520 and/or authentication services 2515 using a proxy device 2510.” Barton ¶ 396. Also ¶ 397-399)
… 
the contextual label comprises routing instructions associated with traffic behavior within the network; and (“the mobile device builds per-application policy-controlled VPN-style connections between the specific applications and a remote access point (e.g., a VPN server, a gateway, an individual computer, etc.). In particular, each specific application (i.e., a specially configured trusted application) is capable of coordinating operation with the specialized network software so that an application specific tunnel is constructed between that specific application and the remote access point.” Barton ¶ 311)
the routing instructions map a plurality of applications to a plurality of Virtual Private Network (VPN) routing/forwarding (VRF) instances; and (“a software application on a mobile device 920 can communicate with an enterprise resource 930 through an application tunnel via connections 942, 960, and 962, with the mobile device management system 926 acting as a tunneling mediator.” Barton ¶ 214)
advertising a control message to the remote access client, wherein the control message comprises the contextual label. (“policies (e.g., 822 a, 824 a, and 826 a) are refreshed periodically and/or in response to particular events, such as each time the respective application is started and/or each time the user logs onto the EMM server 850.” Barton ¶ 337. See also ¶ 391) 

	While Barton does disclose that policies may be user specific and retrieved when a user authenticates (Barton ¶¶ 588 and 337) Barton does not explicitly disclose:
receiving a user attribute from the AAA server; 
generating a contextual label based on the user attribute, wherein:

Antich discloses:
receiving a user attribute from the AAA server; (“The service node receives from the central server a message (e.g., a RADIUS message including a VSA) with service resource information for the targeted LDP session to be created (386). In some examples, the RADIUS message may be an authentication reply message that confirms subscriber authentication, and also includes a VSA specifying the service resource information. ” Antich ¶ 109)
generating a contextual label based on the user attribute, (“If the central server assigns the requesting service node, then that service node can then proceed to complete setup of the targeted LDP session with the access node, such as by sending an LDP label mapping message to the access node (388). The label mapping message may be generated based on information that was specified in the RADIUS VSA received from the central server.” Antich ¶ 109).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Barton with Antich by utilizing the authentication tunnel provisioning of Antich with the application specific tunnels of Barton.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Barton with Antich in order to allow user specific policies to be provisioned in response to authentication (Barton ¶¶ 588 and 337), thereby allowing administrators to assign specific users or user groups particular policies for enforcing business practices (Barton ¶ 587).

As to claims 2, 9, and 16, Barton in view of Antich discloses the system/method/CRM of claims 1, 8, and 15 but does not disclose:
The operations further comprising receiving a policy from software-defined wide area network (SD-WAN) controller, wherein generating the contextual label is further based on the policy received from the SD-WAN controller. 

Antich further discloses:
The operations further comprising receiving a policy from software-defined wide area network (SD-WAN) controller, (“central server 14 may be a software-defined networking (SDN) controller that provides a high-level controller for configuring and managing routing and switching infrastructure of service provider network 2 (e.g., gateway 8, core network 7 and service nodes 10).” Antich ¶ 39) wherein generating the contextual label is further based on the policy received from the SD-WAN controller. (“If the central server assigns the requesting service node, then that service node can then proceed to complete setup of the targeted LDP session with the access node, such as by sending an LDP label mapping message to the access node (388). The label mapping message may be generated based on information that was specified in the RADIUS VSA received from the central server.” Antich ¶ 109).

A person of ordinary skill in the art before the effective filing date of the claimed invention would have further combined Barton in view of Antich with Antich by utilizing the SDN of Antich to supply the administrator configurations of Barton.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Barton with Antich in order to allow user specific policies to be provisioned in response to authentication (Barton ¶¶ 588 and 337), thereby allowing administrators to assign specific users or user groups particular policies for enforcing business practices (Barton ¶ 587).

As to claims 3, 10, and 17, Barton in view of Antich discloses the system/method/CRM of claims 1, 8, and 15 and further discloses:
wherein the user credential is associated with one or more of the following: a username; a password; (“A user's credentials can comprise, for example, a password, one or more answers to security questions (e.g., What is the mascot of your high school?), biometric information (e.g., fingerprint scan, eye-scan, etc.), and the like.” Barton ¶ 346) a cookie; or a certificate. (“At one or more points during the authentication, the resource 2520 may request a signature, such as from a client certificate. The proxy device 2510 might not directly have access to the client certificate, so the proxy device 2510 may involve the client device 2505” Barton ¶ 397)

As to claims 4, 11, and 18, Barton in view of Antich discloses the system/method/CRM of claims 1, 8, and 15 and further discloses:
wherein the user attribute is associated with one or more of the following: a security group; (“the mobile service management interface may be configured to allow the administrative user to define a first policy for a first user or group of users with respect to a particular application” Barton ¶ 587) a quality of service (QoS) profile; or a Network Address Translation (NAT) profile.

As to claims 5, 12, and 19, Barton in view of Antich discloses the system/method/CRM of claims 1, 8, and 15 and further discloses:
wherein the routing instructions associated with the traffic behavior within the network direct traffic to one or more VRF instances. (“a software application on a mobile device 920 can communicate with an enterprise resource 930 through an application tunnel via connections 942, 960, and 962, with the mobile device management system 926 acting as a tunneling mediator.” Barton ¶ 214. Also Barton ¶ 311)

Claims 6, 13, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barton et al., US 2014/0033271 (filed 2013-10), in view of Antich, US 2015/0271102 (filed 2014-04), and Buddhikot et al., US 2005/0102529 (filed 2003-10).
As to claims 6, 13, and 20, Barton in view of Antich discloses a machine/method/CRM of claims 1, 8, and 15 but does not disclose:
the operations further comprising establishing an IP Security (IPsec) or Secure Socket Layer (SSL) session with the remote access client prior to generating the contextual label.

Buddhikot discloses:
the operations further comprising establishing an IP Security (IPsec) or Secure Socket Layer (SSL) session with the remote access client prior to generating the contextual label.
(“The AAA server 204 can be operated in the stand-alone server mode or relay mode. In the stand-alone mode, it supports standardized authentication protocols such as TLS, MD5, and One-Time Password (OTP) and the like. In the relay mode, the AAA server 204 relays the RADIUS packets to the remote H-AAA 45 via a AAA broker network or a pre-established pairwise security association. The gateway 40 also supports a web based authentication service that in Simple IP mode of operation allows it to authenticate mobile users using a simple web based form served over a secure SSL web connection to the web server 212.” Buddhikot ¶ 68. See also ¶ 66)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Barton in view of Antich with Buddhikot by incorporating an SSL web connection of Buddhikot to receive authentication data from the user.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to provide SSL in the system of Barton in view of Antich in order to encrypt and secure the subscriber authentication data, thereby preventing intermediary network nodes or other MitM from intercepting and stealing the subscribers authentication data. 

Claims 7 and 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Barton et al., US 2014/0033271 (filed 2013-10), in view of Antich, US 2015/0271102 (filed 2014-04), and Pai et al., US 2019/0349268, (filed 2017-02).
As to claims 7 and 14, Barton in view of Antich discloses a machine/method/CRM of claims 1, 8, and 15 but does not disclose:
the operations further comprising: determining that the user attribute has changed; 
and withdrawing the contextual label in response to determining that the user attribute has changed.

Pai discloses:
the operations further comprising: determining that the user attribute has changed; (“the BNG 100 reauthorizes the subscriber to receive updated information pertaining to the service chain associated with the subscriber (or the downstream service chain associated with the subscriber) in response to a determination that a change of authorization has occurred for the subscriber.” Pai ¶ 63) 
and withdrawing the contextual label in response to determining that the user attribute has changed. (“The service chain for a subscriber is determined when the subscriber session is created and can subsequently be reauthorized with a new service chain.” Pai ¶ 64)

A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Barton in view of Antich with Pai by incorporating the ability to update the policies of Barton in response to a change of authorization, as done in Pai ¶ 63.  It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Barton in view of Antich with Pai in order to allow the system to accommodate changes in authorization and service offerings in a granular manner without disrupting traffic, Pai ¶ 64.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Mayya et al., US 11,444,872, discloses application aware routing.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MICHAEL W CHAO/Examiner, Art Unit 2492