DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) was submitted on 3/18/2021. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under are rejected under 35 U.S.C. 103 as being unpatentable over Arora et al. (US 20190238539 A1, hereinafter Arora)  in view of Isola et al. (US 20200137055 Al, hereinafter Isola).

Regarding claim 1, Arora discloses in a method performed by a network device management system (200-205, Fig. 2; para. [0032], switch, end device, fingerprint engine, network management server…), the method comprising: 
receiving, from a network switch, network device identification information associated with a network device connected to a network port of the network switch (paras. [0001], lines 6-8, policy infrastructure should enable any end device to be connected to any port on an access switch…; [0019], lines 8-10, the switch may send the device identity, Device_ID, of the connected end device to a network management server, NMS…);
performing first verification processing to attempt to authenticate the network device based on the network device identification information (paras. [0015], upon acquiring the device fingerprint the switch sends this device fingerprint to a fingerprint engine… fingerprint engine may comprise an authentication server… the received device fingerprint, such as the MAC address the fingerprint is then able to determine the device identity of the end device which has connected to the switch and return this to the switch; [0019], lines 11-15; [0020], Upon receiving the device identity from the switch, the NMS searches for a configuration template profile corresponding to such a device identity… if a match is found, returns the relevant configuration template profile to the switch…using the determined device identity to obtain a configuration template profile associated with the connected end device…); 
sending first configuration settings to the network switch to enable auto-configuration of the network port based on the first configuration settings (paras. [0020]-[0021], sending the determined device identity to a network management server, NMS, and receiving an associated configuration template profile from the NMS. The received configuration template profile can then be used to automatically configure the switch…); 
receiving, from the network device, switch/port identification information (paras. [0015], lines 1-8, Upon acquiring this device fingerprint…, such as the MAC address…; [0022], lines 1-4, If the switch has previously had a similar end device connect thereto at a previous occasion, the switch may have stored a device identity for such a type of end device.); 

Arora discloses switch/port identification information (para. [0015], lines 1-8, device fingerprint, MAC address), but fails to explicitly teach: 
performing second verification processing to attempt to further authenticate the network device based on the switch/port identification information; and 
sending second configuration settings to the network switch to enable re-configuration of the network port based on the second configuration settings.

Isola, in the same or similar field of endeavor, teaches 
performing second verification processing to attempt to further authenticate the network device (Figs. 6-7; paras. [0051]-[0052], At step 611, the NAS 108 sends a spoofing alert. The NAS 108 may send a spoofing alert that indicates that the MAC address has been spoofed….the NAS 108 may update an entry in the switch information table 218 with the port status change…; [0078], lines 5-7; [0088], lines 1-8, At step 702, the NAS 108 determines whether the port 103 where the endpoint device 106 is connected to has been used before. For example, the NAS 108 may look for entries in the switch information table 218 that correspond with the port 103 where the endpoint device 106 is connected. The NAS 108 proceeds to step 704 in response to determining that the port 103 the endpoint device 106 is connected to has been used before); and 
sending second configuration settings to the network switch to enable re-configuration of the network port based on the second configuration settings (paras. [0078]; [0089]-[0090], At step 704, the NAS 108 resets the port 103 that the endpoint device 106 is connected to a default setting. Here, the NAS 108 resets the port 103 to a default setting to overwrite any previous settings and to configure the port 103 into a known setting… At step 706, the NAS 108 updates the port 103 with the new status. The NAS 108 may set the port 103 based on a previously determined port status. For example, the NAS 108 may determine a port status using a process similar to the process described in FIGS. 6A-6B. The port 103 may be configured to an open state, a blocked state, a pending state… At step 708, the NAS 108 saves the new port status in to the switch information table 218. Here, the NAS 108 updates the port status field 408 in the switch information table 218 with the most recent port status and configuration.).
Therefore, considering Arora and Isola’s teachings as a whole, one of ordinary skill in the art, before the effective filing date of Applicant’s claimed invention, would be motivated to preemptively identify malicious network device before they can access a network which limits their abilities to provide information security and to control and monitor data access within the network. (para. [0004], lines 14-17).	

Regarding claim 2, Arora-Isola discloses method of claim 1, wherein the network port configured based on the first configuration settings provides a first scope of network access to the network device and the network port configured based on the second configuration settings provides a second scope of network access to the network device, the first scope of network access being more limited than the second scope of network access (Arora, paras. [0019]-[0021], switch may send the device identity, Device_ID to NMS) (Isola, Figs. 6-7; paras. [0051]-[0052], spoofing alert and updating entry with port status change; [0088], lines 1-8, setting default port through re-configuration of port status change). 

Regarding claim 3, Arora-Isola discloses method of claim 2, wherein the first scope of network access restricts the network device to establishing a secure connection with the network device management system (Arora, Fig, block 307 the method comprises acquiring the Device ID for the connected end device. For example, this may comprise sending the device fingerprint in block 307 to a fingerprint engine, such as a CPPM…).  

Regarding claim 4, Arora-Isola discloses method of claim 3, further comprising: 
receiving, by the network device management system, secure credentials from the network device via the network port configured based on the first configuration settings (Arora, Fig. 3; paras. [0019]; [0037]); 
authenticating, by the network device management system, the secure credentials (Arora, Fig. 3; paras. [0015]; [0019], lines 11-15; [0020]; [0037]]); and
establishing, by the network device management system, the secure connection with the network device over the network port configured based on the first configuration settings (Arora, paras. [0015]; [0019], lines 11-15; [0020]; [0022], lines 7-10, the switch can send this directly to the NMS for fetching the configuration template profile, without first having to consult a fingerprint engine or the like…; [0037]).  

Regarding claim 5, Arora-Isola discloses method of claim 2, wherein performing the first verification processing comprises: 
identifying a unique device identifier for the network device included in the network device identification information (Arora, para. [0015], MAC address); 
determining that the unique device identifier matches a stored identifier corresponding to a known authorized network device (Arora, para. [0015], MAC address; [0019], lines 11-15; [0020]); and 
establishing a first level of authentication for the network device based on determining that the unique device identifier matches the stored identifier corresponding to the known authorized network device (Arora, paras. [0015], MAC address; [0019], lines 11-15; [0020]; [0025]), 
wherein sending the first configuration settings to the network switch comprises sending the first configuration settings responsive to establishing the first level of authentication (Arora, paras. [0015]; [0020]-[0021]). 

Regarding claim 6, Arora-Isola discloses method of claim 5, wherein performing the second verification processing comprises: 
comparing the switch/port identification information received from the network device with the network device identification information received from the network switch (Isola, Figs. 6-7; paras. [0051]-[0052]; [0078], lines 5-7; [0088]) ; 
determining that the switch/port identification information matches the network device identification information  (Isola, paras. [0078], lines 5-7; [0088], lines 1-8); and 
establishing a second level of authentication for the network device based on determining that the switch/port identification information matches the network device identification information, the second level of authentication representing a more secure authentication of the network device than the first level of (Isola, paras. [0022]; [0030], lines 1-6, The NAS 108 is configured to authenticate end point devices 106 that are connected to a port 103 of a switch 104. The NAS 108 may authenticate endpoint device 106 using an 802.IX protocol, a MAC authentication Bypass (MAB) whitelist, the process described in FIGS. 6A, 6B, and 7…; [0036]-[0037], access control engine 208 is implemented using logic units, FPGAs, ASICs, DSPs, or any other suitable hardware; [0078], lines 5-7; [0088], lines 1-8), 
wherein sending the second configuration settings to the network switch comprises sending the second configuration settings responsive to establishing the second level of authentication (Isola, paras. [0078]; [0089]-[0090]). 

Regarding claim 7, Arora-Isola discloses method of claim 6, wherein the second configuration settings comprise full configuration settings, and wherein the network port re-configured based on the full configuration settings expands a scope of the network access for the network device from the first scope of network access to the second scope of network access (Arora, paras. [0019]-[0021], switch may send the device identity, Device_ID to NMS) (Isola, Figs. 6-7; paras. [0051]-[0052]; [0078]; [0089]-[0090]). 

Regarding claim 8, Arora-Isola discloses method of claim 6,  wherein determining that the switch/port identification information matches the network device identification information comprises: 
identifying at least one of a network switch identifier or a network port identifier included in the switch/port identification information (Arora, paras. [0015], lines 1-8; [0019], lines 11-15; [0020]; [0022]); and 
determining at least one of: the network switch identifier identifies the network switch from which the network device identification information was received or the network port identifier identifies the network port via which the network device identification information was received (Arora, paras. [0015], lines 1-8; [0019], lines 11-15; [0020]; [0022]). 

Regarding claim 9, Arora-Isola discloses method of claim 8,  wherein determining that the switch/port identification information matches the network device identification information further comprises: 
determining that the unique device identifier included in the network device identification information identifies the network device from which the switch/port identification information was received (Arora, paras. [0015], lines 7-11; [0019], lines 11-15; [0020]; [0022], lines 1-7). 

Regarding claim 10, Arora-Isola discloses method of claim 2, wherein the first scope of network access restricts the network device to contacting an authorization service of the network device management system (Arora, paras. [0015]; [0019], lines 11-15; [0020]) and the second scope of network access restricts the network device to establishing a secure connection with the network device management system (Isola, paras. [0078]; [0089]-[0090]).  

Regarding claim 11, Arora-Isola discloses method of claim 10,  wherein performing the first verification processing comprises: 
identifying a unique device identifier for the network device included in the network device identification information (Arora, para. [0015], MAC address) (Isola, Isola, paras. [0078]); and 
determining that the unique device identifier does not match a stored identifier corresponding to a known authorized network device (Arora, paras. [0019], lines 11-15; [0020]; [0022], lines 1-7); [0028], lines 1-5); 
wherein sending the first configuration settings to the network switch comprises sending the first configuration settings responsive to determining that the unique device identifier does not match a stored identifier corresponding to a known authorized network device (Arora, paras. [0028]; [0079], lines 1-5, end device settings can be pre-optimized to improve the experience through NMS, and can provide a simplified and more efficient deployment experience, and help with better tracking of devices. Configuration errors can also be reduced…; claim 9). 

Regarding claim 12, Arora-Isola discloses method of claim 10, further comprising: 
determining, by the network device management system, that the network device has contacted the authorization service via the network port configured based on the first configuration settings (Arora, Fig. 3; para. [0040], in block 309 upon receiving the Device_ID from the fingerprint engine, the switch forwards the device identity to a NMS to fetch the configuration profile template to be applied, based on the Device_ID, block 305…); 
generating, by the network device management system, an onboarding token (Arora, paras. [0041], in block 305 the NMS cannot find a configuration template profile relating to the specific Device_ID, the NMS returns a default configuration template profile to the switch, such that the switch can then apply the default configuration template profile to configure itself, and automatically onboard the end device…; [0047], lines 1-4, creating templates profiles for Wireless LAN  profiles to configure ports...creating a onboarding token); and 
sending, by the network device management system, the onboarding token to the network device (Arora, paras. [0041]; [0047], lines 1-4).  

Regarding claim 13, Arora-Isola discloses method of claim 12, further comprising: 
receiving, by the network device management system, the onboarding token from the network switch, wherein the network switch retrieved the onboarding token from a discovery packet broadcasted by the network device (Arora, [0043], lines 1-7, Upon detecting an end device 201 connected thereto (41), the switch 200 sends the device fingerprint (42) to a fingerprint engine 203 . The fingerprint engine 203 returns a device identity, Device_ID (43), to the switch 200. The switch 200 sends the device identity, Device_ID (44), to the networking management server 205, which returns a configuration template profile (45) to the switch 200.), 
wherein sending the second configuration settings to the network switch comprises sending the second configuration settings responsive to receiving the onboarding token from the network switch (Arora, para. [0043], lines 7-9) (Isola, paras. [0078]; [0089]-[0090],). 
 
Claims 14 and 18 incorporates substantively all the limitations of claim 1 in system and switch forms rather than method form and are rejected under the same rationale.

Claims 15 and 19 incorporates substantively all the limitations of claim 2 in system and switch forms rather than method form and are rejected under the same rationale.

Regarding claim 16, Arora-Isola discloses the network device management system of claim 14, wherein the processor is configured to perform the first verification processing by executing the computer-executable instructions to: 
identify a media access control (MAC) address for the network device in a Link Layer Discovery Protocol (LLDP) frame included in the first network information (Arora, paras. [0014], lines 6-9, device fingerprint may be acquired, for example, using a link layer discovery protocol, LLDP. For example, the device fingerprint may be acquired from type-length-value, TLV, structures of LLDP…; [0015], lines 1-8, MAC address; [0022], lines 1-4); 
determine that the MAC address matches a stored MAC address corresponding to a known authorized network device (Arora, paras. [0015]; [0019], lines 11-15; [0020]); and 
establish a first level of authentication for the network device based on determining that the MAC address matches the stored MAC address (Arora, paras. [0015], MAC address; [0019], lines 11-15; [0020]; [0025]); 
wherein the processor is configured to send the first configuration settings to the network switch by executing the computer-executable instructions to send the first configuration settings responsive to establishing the first level of authentication (Arora, paras. [0015]; [0020]-[0021]).

Claim 17 incorporates substantively all the limitations of claim 6 in system form rather than method form and is rejected under the same rationale.

Regarding claim 20, Arora discloses the network switch of claim 18, wherein the processor is further configured to determine that the network device is a known network device that was previously connected a different port of the plurality of network ports or to a network port of another network switch (Arora, para. [0041]). 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
See PTO-892 Notice of References Cited.


	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THORNE E WAUGH whose telephone number is (571)270-0434. The examiner can normally be reached Monday-Friday 9AM-5:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARIO ETIENNE can be reached on (571)272-4001. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/THORNE E WAUGH/Examiner, Art Unit 2457                                                                                                                                                                                                        
/ARIO ETIENNE/Supervisory Patent Examiner, Art Unit 2457