DETAILED ACTION
This initial written action is responding to the communications dated on 09/10/2020.
Claims 1-20 are submitted for examination.
Claims 1-20 have been examined and rejected.
Claims 1-20 are pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Oath/Declaration
	Applicant’s oath/declaration, filed on 09/10/2020 has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63. 
Information Disclosure Statement
	The information disclosure statement (IDS) submitted on 12/18/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. 
Specification
	The Specification filed on 9/10/2020 is accepted for examination purposes.  
Drawings
	The Drawings filed on 9/10/2020 are accepted for examination purposes.  
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Note: Limitations not taught by a reference will be shown in strike-through text. For example: 
Claims 1, 5-9, 12-14, and 17-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bryksa et al. US 10,299,126 B2 hereafter BRYKSA in view of Schneider  US 2010/0131756 Al hereafter SCHNEIDER in further view of Rigney et al. RFC 2865; RFC Editor;  June 2000 available at https://www.rfc-editor.org/info/rfc2865 hereafter RIGNEY.  
As to Claim 1
BRYKSA teaches an electronic device (BRYKSA Col. 11, ll. 39-57; “102. The access controller 104 in this embodiment is a computer server including a first network interface 108 coupled to the Internet 102 and a second network interface 110 coupled to the hotel's LAN 106,  … , a 55 Remote Authentication Dial In User Service (RADIUS)server module 122), comprising: 
an interface circuit configured to communicate with a computer; a processor coupled to the interface circuit (BRYKSA Col. 11, ll. 39-57; “102. The access controller 104 in this embodiment is a computer server including a first network interface 108 coupled to the Internet 102 and a second network interface 110 coupled to the hotel's LAN 106. The access controller 104 further includes a storage device 112, and each of the network interfaces 108, 110 and the storage device 112 is coupled to one or more processors 45 114. In the following description, the plural form of the word "processors" will be utilized as it is common for a CPU of a computer server to have multiple processors (sometimes also referred to as cores); however, it is to be understood that a single processor 114 may also be configured to perform the 50 below-described functionality in other implementations. The storage device 112 stores software and data utilized by the processors 114 when controlling access between the hotel's wired LAN 106 and the Internet 102. In this example, the storage device 112 stores a firewall module 120, a 55 Remote Authentication Dial In User Service (RADIUS)server module 122, and a web server module 124.” See also Fig 1. for Access Points[i.e. a computer]132. ); and
 memory, coupled to the processor, configured to store program instructions, wherein, when executed by the processor, the program instructions cause the electronic device to perform operations (BRYKSA Col. 28, ll. 30-46 “modules may be implemented by software executed by one or more processors operating pursuant to instructions stored on a tangible computer-readable medium such as a storage device to perform the above-described functions of any or all aspects of the access controller. Examples of the tangible computer-readable medium include optical media (e.g., CD-ROM, DVD discs), magnetic media (e.g., hard drives, diskettes), and other electronically readable media such as flash storage devices and memory devices (e.g., RAM, ROM). The computer-readable medium may be local 40 to the computer executing the instructions, or may be remote to this computer such as when coupled to the computer via a computer network such as the Internet. The processors may be included in a general-purpose or specific-purpose computer that becomes the access controller or any of the 45 above-described modules as a result of executing the instructions.”) comprising: 
10receiving an access request associated with a computer (BRYKSA Col. 12, ll. 3-8;  “The RADIUS server 122 stores valid access credentials in a credential database 123 and is queried by access points (APs) 132 at the hotspot when authenticating received access credentials from client devices 130 requesting association with the hotel's secure wireless network 142.”), wherein the access request comprises passphrase parameters corresponding to a passphrase associated with a user (BRYKSA Col 13, ll. 17-26; “The login portal 125 then generates a user-specific access credential that is passed to the RADIUS server 122 for storage as a valid access credential in the credential database 123. In this embodiment, the user-specific access credential is a unique username/password combination that is personalized for the specific guest identified by the login process.” BRYKSA Col. 13, ll. 35-39; “The user utilizes the user-specific access credential received from the login portal 125 and this username/password entered by the user for authentication is received by the APs 132. The APs 132 query the credential database 123 and verify the received username/password from the client device 130 correspond to a valid access credential in the credential database 123.” NOTE: Examiner submits that the RADIUS server (i.e., an electronic device) is queried by the access points i.e., the computer.), 

(BRYKSA Col. 4, ll. 1-3; “only valid users in possession of a valid access credential are able to associate their wireless devices with the hotspot's secure wireless network. [i.e. a type of policy for possession of a valid access credential and is associated with the user]”.  BRYKSA Col. 4, ll. 1-3; “… form a valid access credential that may be utilized to authenticate …”  Also, BRYKSA col. 18, lines 21-32 As a result of default rule 512, the firewall 120 is configured to block network traffic between the VLAN_open (i.e., network traffic that is passed over the open wireless network 140) and the Internet 102. Only client devices 130 that are able to associate with the hotspot's secure wireless network 142 have the possibility of accessing the Internet creden102. Additionally, in this embodiment, only client devices 130 that have their MAC addresses specifically cleared on the firewall rules 121 for VLAN_secure are authorized for Internet access. If a client device 130 does not have its MAC address specifically cleared for Internet access, even if it is currently associated with the secure wireless network 142, default rule 512 ensures its outgoing network traffic is still blocked and that it is redirected by the firewall 120 to the hotel's login portal 125.  BRYKSA Col 17, ll. 4-17;  “As shown in FIG. 4, the credential database 123 is organized in this embodiment as a table having user-specific access credentials stored in rows. A first column 400 stores the username, a second column 402 stores the password, a third column 404 stores an expiry date/time, and a fourth column 406 stores a unique client ID. Other additional or substitute columns may be utilized in other embodiments according to the desired format of the access credentials. For instance, in other embodiments, the user-specific access credential may only include a unique passkey, or may be formed by other types of values such as an electronic room key or other access code. The columns of the credential database 123 may be chosen accordingly in these embodiments.” NOTE: Examiner submits that columns represented in the credential database corresponding to login access, expiry time, or other firewall rules allowing or denying access on different VLANs or mac addresses and the implementation of such rules for access, denial,  expiration of access etc. constitute a policy of each user.); and
when one or more criteria associated with the policy are met (BRYKSA col. 18, lines 21-32; “As a result of default rule 512, the firewall 120 is configured to block network traffic between the VLAN_open (i.e., network traffic that is passed over the open wireless network 140) and the Internet 102. Only client devices 130 that are able to associate with the hotspot's secure wireless network 142 have the possibility of accessing the Internet creden102. Additionally, in this embodiment, only client devices 130 that have their MAC addresses specifically cleared on the firewall rules 121 for VLAN_secure are authorized for Internet access. If a client device 130 does not have its MAC address specifically cleared for Internet access, even if it is currently associated with the secure wireless network 142, default rule 512 ensures its outgoing network traffic is still blocked and that it is redirected by the firewall 120 to the hotel's login portal 125”.  BRYKSA Col. 19, ll. 9-25; “when the received username and password combination match a valid access credential stored in the credential database 123 (e.g., on columns 400, 402)), selectively providing an access acceptance message addressed to the computer (BRYKSA Col. 19, ll. 9-25; “when the received username and password combination match a valid access credential stored in the credential database 123 (e.g., on columns 400, 402), the RADIUS server [the first electronic device] 122 replies to the AP [the computer]  132 certifying that the access credential is valid [the acceptance message].” NOTE: Examiner submits that an access point (AP) is consistent with Applicant’s own definition of “a computer” i.e. Applicant’s Specification 0007 “[t]his electronic device may include: an interface circuit that communicates with a computer (such as a controller of a computer network device, e.g., an access point or a switch, in the WLAN)”), wherein the 20access acceptance message is intended for a second electronic device associated with the user (BRYKSA Col. 19, ll. 26-32; “When the received access credential is a valid access credential, the AP 132 allows the client device to associate with the secure wireless network 142 and the process proceeds to step 608. Otherwise, when the received access credential is not a valid access credential, the AP 132 does not allow the client device 130 to associate with the secure wireless network.”)  
BRYKSA does not expressly teach: 
… and the passphrase parameters comprise inputs to a cryptographic calculation and an output of the cryptographic calculation; 
calculating one or more second outputs of the cryptographic calculation 15based at least in part on the inputs and one or more stored passphrases; 
when there is a match between one of the one or more second outputs and the output; and
… and comprises information for establishing secure access of the second electronic device to a network. 
However, in a similar art of secure authentication, SCHNEIDER teaches:
receiving an access request associated with the computer, wherein the access request comprises passphrase parameters corresponding to a passphrase associated with a user (SCHNEIDER 0016; “Communication request generator module 112 assembles a communication request [i.e. access request].”) The passphrase parameters correspond to a passphrase of the user as they include a “MAC over the previous three values, using the encrypted password as the key.”), and the passphrase parameters comprise inputs to a cryptographic calculation and an output of the cryptographic calculation (SCHNEIDER 0016 “that includes the username, a client random string, a client timestamp, [i.e. inputs to a cryptographic calculation] and a MAC [i.e. output of the cryptographic calculation] over the previous three values, using the encrypted password as the key.” NOTE: Examiner submits that the MAC using the encrypted password is corresponding to a passphrase associated with a user, and the username, client random string, client timestamp, and MAC are the passphrase parameters.);
calculating one or more second outputs of the cryptographic calculation based at least in part on the inputs and one or more stored passphrases (SCHNEIDER 0024; “A server MAC module 122 looks up the encrypted password [i.e. one or more stored passphrases] based on the username, calculates a MAC [i.e. one or more second outputs of the cryptographic calculation] over the first three values in the request [inputs]); and
when there is a match between one of the one or more second outputs and the output ( SCHNEIDER 0024; “and verifies that the calculated MAC [one or more second outputs] matches the MAC provided by client [the output] 102”.  SCHNEIDER 0025; “If it matches, response module 124 generates a response that includes the client's random value, a server random value, a server timestamp, and a MAC over these three values, using the encrypted password as the key. If the calculated MAC does not match the MAC provided by client 102, server 106 can just fail to respond, or can construct a response using a random value in place of the encrypted password.).
BRYKSA and SCHNEIDER are from similar technology relating to secure network access and authentication.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA by implementing the cryptographic calculation described in SCHNEIDER.  Based on the KSR v. TELEFLEX rationale, such a cryptographic calculation involving use of the parameters of a password/credential is nothing but applying a known technique (computing a MAC over user credentials) to a known device and method ready for improvement to yield predictable results (creating a unique, verifiable, password for each user).  
The combination of BRYKSA or SCHNEIDER does not expressly teach: 
… and comprises information for establishing secure access of the second electronic device to a network.  
However, in the analogous art of client server authentication, RIGNEY teaches:
… and comprises information for establishing secure access of the second electronic device to a network (RIGNEY Sec. 2; Once the client has obtained such information, it may choose to  authenticate using RADIUS.  To do so, the client [i.e. the second electronic device] creates an "Access-Request" containing such Attributes as the user's name, the user's   password, the ID of the client and the Port ID which the user is accessing. RIGNEY Sec. 4.2; Access-Accept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user.  If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept). On reception of an Access-Accept, the Identifier field is matched with a pending Access-Request.  The Response Authenticator field  MUST contain the correct response for the pending Access-Request. Invalid packets are silently discarded.   RIGNEY Sec. 5; RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply.   RIGNEY Sec. 5.8 Framed-IP-Address… This Attribute indicates the address to be configured for the user.  It MAY be used in Access-Accept packets.  It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint.) NOTE: Examiner submits that the client device is the second electronic device, that the Access-Accept message is the acceptance message, and that the Attributes such as an IP address are information for establishing a secure connection.” )
BRYKSA, SCHNEIDER, and RIGNEY are from similar technology relating to secure network access and authentication.  It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA and SCHNEIDER by implementing the acceptance message described in RIGNEY.  Based on the KSR v. TELEFLEX rationale, such an acceptance message involving use of information for completing the connection is nothing but applying a known technique to a known device and method ready for improvement to yield predictable results.
As to Claim 5
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above).
In addition, BRYKSA teaches: wherein the policy comprises a time interval when the passphrase is valid ( BRYKSA Col 17, ll. 4-17; “As shown in FIG. 4, the credential database 123 is organized in this embodiment as a table having user-specific access credentials stored in rows. A first column 400 stores the username, a second column 402 stores the password, a third column 404 stores an expiry date/time, and a fourth column 406 stores a unique client ID. Other additional or substitute columns may be utilized in other embodiments according to the desired format of the access credentials. For instance, in other embodiments, the user-specific access credential may only include a unique passkey, or may be formed by other types of values such as an electronic room key or other access code. The columns of the credential database 123 may be chosen accordingly in these embodiments.” BRYKSA Col. 17, ll. 28-36; “The expiry time specified in column 404 represents the duration of Internet access for this client device 130 and is set by the login portal 125 to "May 24, 2012 18:00 " in this example, which corresponds to 24-hours from the current time in the example that the guest is booked for a single night at the hotel. Other expiry durations may be utilized in other embodiments.”).
As to Claim 6
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above).
In addition, BRYKSA teaches: wherein the policy comprises a location where the passphrase is valid or the network that the user is allowed to access (BRYKSA Col 11, ll. 30-31; “For illustration purposes the hotspot provider in this embodiment is a hotel”.  BRYKSA Col 17, ll. 4-17; “As shown in FIG. 4, the credential database 123 is organized in this embodiment as a table having user-specific access credentials stored in rows. A first column 400 stores the username, a second column 402 stores the password, a third column 404 stores an expiry date/time, and a fourth column 406 stores a unique client ID. Other additional or substitute columns may be utilized in other embodiments according to the desired format of the access credentials. For instance, in other embodiments, the user-specific access credential may only include a unique passkey, or may be formed by other types of values such as an electronic room key or other access code. The columns of the credential database 123 may be chosen accordingly in these embodiments.” BRYKSA Col. 18, ll. 4-9; “When the source VLAN in column 502, the target location in column 504 and the MAC address in column 506 match incoming network traffic, the firewall 120 performs the action specified in column 508, i.e., either allows the network traffic or drops the network traffic and redirects the client device 130 to the login portal 125.” NOTE: Examiner submits that the secure VLAN is “the network that the user is allowed to access” and is part of the credential database or firewall rules—the “policy.”)
As to Claim 7
The combination of BRYKSA, SCHNEIDER, and RIGNEY: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches, “wherein the interface circuit is configured to communicate with a second computer ( BYRKSA Col. 11, ll. 41-43; and a network interface 110 [i.e. interface circuit] coupled to the hotel's LAN 106. BYRKSA Col. 31, ll. 1-5; “one or more access points [first and second and more computers] providing a secure wireless network employing network-level encryption and requiring successful completion of an authentication process before allowing association therewith by the client device [second electronic device]”);
 wherein the operations comprise communicating with the second computer to 10determine whether the second electronic device is associated with the location; and wherein, when the second electronic device is associated with the location, the access acceptance message is selectively provided (BRYKSA Col. 17, ll. 45-50; “At step 214 the login portal 125 passes the MAC address 45 ( or another device identifier such as the IP address, subscriber card identifier, etc.)[ [the acceptance message] of the client device [second electronic device] 130 to the firewall 120 in order to clear the MAC address for access [acceptance message is selectively provided] to the Internet 102 when the client device 130 is associated with the hotel's secure wireless network [location] 142.”). 
As to Claim 8
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches, “wherein the network comprises a virtual network associated with a location, and the information in the access acceptance message 15allows the second electronic device to establish secure communication with the virtual network (BRYKSA Col. 17, ll. 60-65; “the APs 132 are configured to place network traffic from client devices 130 that are associated with the open wireless network 140 on a first VLAN (e.g.,VLAN_open) [a virtual network], and to place network traffic from client devices 130 that are associated with the secure wireless network [a location] 140 on one or more second VLANs). 
In addition, RIGNEY teaches “the information in the access acceptance message 15allows the second electronic device to establish secure communication with the virtual network”  (RIGNEY Sec. 2; Once the client has obtained such information, it may choose to  authenticate using RADIUS.  To do so, the client [i.e. the second electronic device] creates an "Access-   Request" containing such Attributes as the user's name, the user's   password, the ID of the client and the Port ID which the user is accessing. RIGNEY Sec. 4.2; Access-Accept packets are sent by the RADIUS server, and provide specific configuration information necessary to begin delivery of service to the user.  If all Attribute values received in an Access-Request are acceptable then the RADIUS implementation MUST transmit a packet with the Code field set to 2 (Access-Accept). On reception of an Access-Accept, the Identifier field is matched with a pending Access-Request.  The Response Authenticator field  MUST contain the correct response for the pending Access-Request. Invalid packets are silently discarded.   RIGNEY Sec. 5; RADIUS Attributes carry the specific authentication, authorization, information and configuration details for the request and reply.   RIGNEY Sec. 5.8 Framed-IP-Address… This Attribute indicates the address to be configured for the user.  It MAY be used in Access-Accept packets.  It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer that address, but the server is not required to honor the hint. NOTE: Examiner submits that the client device is the second electronic deivce, that the Access-Accept message is the acceptance message, and that the Attributes such as an IP address are information for establishing a secure connection.”)
As to Claim 9
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches: wherein the virtual network comprises: a virtual local area network (VLAN) or a virtual extensible local area network (VXLAN) (BRYKSA Col. 17, ll. 60-65; “the APs 132 are configured to place network traffic from client devices 130 that are associated with the open wireless network 140 on a first VLAN (e.g.,VLAN_open), and to place network traffic from client devices 130 that are associated with the secure wireless network 140 on one or more second VLANs”).
As to Claim 12
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches, “wherein the secure communication is independent of traffic associated with other users of the network. (BRYKSA Col 17, ll. 60-67—Col 18, ll. 1-3; “In this embodiment, the APs 132 are configured to place network traffic from client devices 130 that are associated with the open wireless network 140 on a first VLAN (e.g., VLAN_open), and to place network traffic from client devices 130 that are associated with the secure wireless network 140 on one or more second VLANs (e.g., VLAN_secure in FIG. 5). In addition to segregating traffic from the open and secure wireless networks 140, 142 on different VLANs for security purposes, the different VLAN tags allow the firewall 120 to easily identify the source VLAN.” BRYKSA Col. 13, 59-62; “While users surf the Internet 102 over the hotel's secured wireless network 142, all over-the-air traffic including packet headers is encrypted and hackers are thereby prevented from eavesdropping sensitive information.” NOTE: Examiner submits that it is well known in the art that a virtual LAN (VLAN) is a logical overlay network that groups together a subset of devices that share a physical LAN, isolating the traffic for each group.)
As to Claim 13
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches, wherein the access request comprises a remote authentication dial-in user service (RADIUS) access request and the access acceptance message comprises a RADIUS access acceptance message (BRYKSA Col. 19, ll. 9-25; “At step 604, the AP 130 automatically queries the RADIUS server 122 to authenticate the received access credential from the client device 130. In an exemplary embodiment implementation, the AP 130 acts as an authenticator while following the authentication process laid out in IEEE 802.lX. At step 606, the RADIUS server 122 determines whether the received access credential is a valid access credential according to information stored in the credential database 123. With reference to FIG. 4, when the received username and password combination match a valid access credential stored in the credential database 123 (e.g., on columns 400, 402), the RADIUS server 122 replies to the AP 132 certifying that the access credential is valid. In an exemplary embodiment implementation, the RADIUS server 122 acts as an authentication server while following the authentication process laid out in IEEE 802.lX.”).
As to Claim 14
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above).
In addition, BRYKSA teaches, “wherein the policy allows the user to access multiple networks at different locations (BRYKSA Col. 25 ll. 27-38; “In some embodiments, the access controller is implemented within a firewall, gateway, network address translation (NAT), proxy server, or other networking component that controls the flow [i.e. the policy] of network traffic between the wireless networks [i.e. different locations] 140, 142 and the Internet 102. The invention may also co-exist with other control functions provided by these networking components such as providing website filtering, captive portal functionality, access controls [the policy allows the user to access], parental monitoring, logging etc. Other network components may also perform functions of the access controller and it is not necessary that the hotspot has a dedicated access controller located locally.”).
As to Claim 17
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above)
In addition, BRYKSA teaches, wherein the passphrase is independent of an identifier associated with the second electronic device (BRYKSA Col. 15, ll. 55-61; “In this embodiment, the login portal 125 generates a username and a pseudorandom password [passphrase independent of an identifier associated with the second electronic device] as the user-specific access credential at this step. In a preferred embodiment, the access credential should be temporally unique to the user meaning no other current user of the hotspot is assigned a matching access credential in the credential database 123.” BRYKSA Col. 16, ll.37-41; “the login portal 125 transmits the user-specific access credential determined at step 208 to the client device [the second electronic device] 130 via the encrypted connection ( e.g., HTTPS connection between login portal 125 and client device 130).).
As to Claim 18
The combination of BRYKSA, SCHNEIDER, and RIGNEY: “The electronic device of claim 1,” (as above)
In addition, BRYKSA teaches, wherein the passphrase is independent of the second electronic device or hardware in the second electronic device. (BRYKSA Col. 16, ll.37-41; “In this embodiment, the login portal 125 generates a username and a pseudorandom password [passphrase independent of the second electronic device] as the user-specific access credential at this step. In a preferred embodiment, the access credential should be temporally unique to the user meaning no other current user of the hotspot is assigned a matching access credential in the credential database 123.” BRYKSA Col. 15, ll. 55-61. “the login portal 125 transmits the user-specific access credential determined at step 208 to the client device [the second electronic device] 130 via the encrypted connection ( e.g., HTTPS connection between login portal 125 and client device 130).)
As to Claim 19
It is a non-transitory computer-readable medium claim that recites limitations that are similar to those of the device claim 1.  Therefore, claim 19 is rejected with the same motivation and rationale as applied against claim 1 above.  In addition, BRYKSA teaches: “A non-transitory computer-readable storage medium for use in conjunction with an electronic device, the computer-readable storage medium storing program instructions that, when executed by the electronic device, cause the electronic device to perform operations comprising:15” (BRYKSA Col 9, ll. 57-65; “According to yet another exemplary embodiment of the invention there is disclosed a non-transitory computer-readable medium comprising computer executable instructions that when executed by a computer cause the computer to perform steps of providing an open wireless network having no network-level encryption and allowing open association therewith by a client device at a hotspot and establishing an encrypted connection between the client device and a login portal of the hotspot over the open wireless network.” ) 
As to Claim 20
It is a method claim that recites limitations that are similar to those of the device claim 1.  Therefore, claim 20 is rejected with the same motivation and rationale as applied against claim 1 above.   

Claim 2, is rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of hereafter Salaman et al. US 2021/0021597 Al hereafter SALAMAN.  
As to Claim 2
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches “The electronic device of claim 1,” (as above).   
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not expressly teach “wherein the electronic device comprises an authentication authorization, and accounting (AAA) server”
However, in an analogous art of secure wireless network connections SALAMAN teaches: “authorization, and accounting (AAA) server”( SALAMAN 0023; “server system 200 may implemented using a desktop computing device, an access point with an embedded RADIUS or other AAA protocol server functionality, a router with embedded AAA protocol server functionality, or some other device that may function as an AAA server.)
BRYKSA, SCHNEIDER, RIGNEY, and SALAMAN are from similar technology relating to secure network access and authentication.   It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA implementing the server as an AAA server of SALAMAN.  Based on the KSR v. TELEFLEX rationale, such an addition uses known methods (using an AAA server) to produce a predictable result ( performing 802.1X wireless authentication using AAA features). 
Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of Ranade et al. US 8,756,668 B2 hereafter RANADE
As to Claim 3
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches “The electronic device of claim 1”, (as above) 
In addition, as above, BRYKSA teaches,  “the passphrase” (BRYKSA Col 13, ll. 17-26; “The login portal 125 then generates a user-specific access credential that is passed to the RADIUS server 122 for storage as a valid access credential in the credential database 123. In this embodiment, the user-specific access credential is a unique username/password [the passphrase] combination that is personalized for the specific guest identified by the login process.”)
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not expressly teach “wherein the passphrase comprises a dynamic pre-shared key (DPSK) of the user.”
However, in an analogous art of secure wireless network connections RANADE teaches:“wherein the passphrase comprises a dynamic pre-shared key (DPSK) of the user.” (RANADE Col. 1, ll. 34-42.; “Pre-shared key (PSK)-based security systems require that secret be manually entered onto all user devices using the network. A PSK-based system relies on a secret shared between and stored at both the client station and the access point. The secret may be, for example, a long bit stream, such as a passphrase, a password, a hexadecimal string, or the like. Used by a client station and the access point to authenticate each other, the secret may also be used to generate an encryption key set.” Moreover, in RANADE Col. 4, ll. 34-47; “Hotspot controller 150 manages the one or more hotspot access points 130 in network environment 100. As such, the hotspot controller 150 intelligently manages the hotspot wireless services, including deployment, RF assignments, traffic/load balancing, and security. In terms of security, for example, the hotspot controller 150 may receive a request that a user device 110 be allowed to use the secured communication network 120B. Hotspot controller 150 dynamically generates a unique pre-shared key [i.e. a dynamic pre-shared key or DPSK)] for the requesting user device 110 and return the key to web portal server 140, which in turns generates a web page displaying the unique pre-shared key to the user device 110. User device 110 may then use the preshared key in a request to access secure communication network 120B.”.)
BRYKSA, SCHNEIDER, RIGNEY, and RANADE are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the passphrase disclosed in BRYKSA, SCHNEIDER, and RIGNEY by either substituting or appending a DPSK as disclosed RANADE.  Based on the KSR v. TELEFLEX rationale, such a substitution uses known methods (a dynamically generated key) to produce a predictable result (having unique keys generated at runtime). 
Claim(s) 4 is/are rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of Roths et. al. US 10,230,522 Bl hereafter ROTHS.
As to Claim 4
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above).
In addition, SCHNEIDER, teaches “the output of the cryptographic calculation;”  (SCHNEIDER 0016 “that includes the username, a client random string, a client timestamp, [i.e. inputs to a cryptographic calculation] and a MAC [i.e. output of the cryptographic calculation] over the previous three values, using the encrypted password as the key.” NOTE: Examiner submits that the MAC using the encrypted password is corresponding to a passphrase associated with a user, and the username, client random string, client timestamp, and MAC are the passphrase parameters.) 
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not expressly teach wherein the passphrase parameters comprises: a random number associated with the second electronic device, a random number associated with a computer network device, the output of the cryptographic calculation, 631534-1948 (RUC1948-US) an identifier of the second electronic device, and an identifier of the computer network device.
However, in an analogous art of secure wireless network connections ROTHS teaches: wherein the passphrase parameters comprises: a random number associated with the second electronic device, a random number associated with a computer network device, the output of the cryptographic calculation, 631534-1948 (RUC1948-US) an identifier of the second electronic device, and an identifier of the computer network device. (ROTHS Col 9, 47-50; “The client device may perform the authentication procedure using the WPA/WPA2 four way handshake mechanism in accordance with IEEE 802.11.” ROTHS Col 9, ll. 56-67; “A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating one more parameters that may be shared between the AP and the client device. Some of these parameters may be the PMK, AP nonce (ANonce) [i.e. a random number associated with a computer network device], STA nonce (SNonce) [i.e. a random number associated with the second electronic device], AP MAC address [ i.e. an identifier of the computer network device], and STA MAC address [i.e. an identifier of the second electronic device]. The four-way handshake may also yields another key known as the GTK (Group Temporal Key), which is used to decrypt multicast and broadcast traffic. The four-way handshake is designed so that the AP and the client device can independently prove to each other that they know the PSK/PMK, without disclosing the PSK or the PMK.)
BRYKSA, SCHNEIDER, RIGNEY, and ROTHS are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA, SCHNEIDER, and RIGNEY by implementing the IEEE standard disclosed in ROTHS.  Based on the KSR v. TELEFLEX rationale, such an implementation uses known methods (hashing multiple data such as random numbers, addresses, or other identifying information) to produce a predictable result (guaranteeing uniqueness of keys attributable to their respective devices). 

Claims 10, is rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of hereafter Dubuc et al. US 2008/0028445 Al hereafter DUBUC.  
As to Claim 10
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 1, (as above). 
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not expressly teach “wherein the access acceptance message 20comprises an identifier of the virtual network; and wherein the identifier comprises a virtual local area network identifier (VLANID) or a virtual network identifier (VNI).”
However, in an analogous art of secure wireless networking DUBUC teaches, “wherein the access acceptance message 20comprises an identifier of the virtual network; and wherein the identifier comprises a virtual local area network identifier (VLANID) or a virtual network identifier (VNI).” ( DUBUC 0082; “According to one embodiment, the attribute-to-interface table 430 represents a mapping of attribute values (e.g., VLAN-name, VLAN-id, Vdom-name, interface-name, etc.) that may be returned with successful authentication responses to corresponding network interfaces of the network gateway 400.)
BRYKSA, SCHNEIDER, RIGNEY, and DUBUC  are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA, SCHNEIDER, and RIGNEY by adding the VLAN_ID to an acceptance response message. Based on the KSR v. TELEFLEX rationale, we are using known methods (identifying a VLAN with a VLAN identifier) in order to achieve a predictable result (assigning a client device to a particular VLAN). 
Claim(s) 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over in view of SCHNEIDER in view of RIGNEY in further view of hereafter Menachem et al. US 2019/0190892 Al MENACHEM
As to Claim 11
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches “The electronic device of claim 10,” (as above)
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not teach “wherein the identifier comprises information that specifies one of more than 4,096 virtual networks.”
  However, in an analogous art of secure wireless network connections MENACHEM teaches: wherein the identifier comprises information that specifies one of more than 4,096 virtual networks.  (MENACHEM 0066; “More complex use cases can arise when other actions are combined with IPsec. For example, Rx pipe 68 can be directed by the flow steering entries to decapsulate and handle an IPsec packet that is encapsulated in a Virtual Extensible LAN (VXLAN) packet [information that specifies one of more than 4,096 virtual networks], or a VXLAN packet that is encapsulated inside an IPsec packet. Tx pipe 66 can similarly be directed to perform this sort of multi-level encapsulation.”. NOTE: Examiner submits that one skilled in the art will know that a VXLAN supports about 24 bits worth of address space—yielding 16,777,216 addressable virtual networks—greatly in excess of 4,096 virtual networks. 
BRYKSA, SCHNEIDER, RIGNEY, and MENACHEM are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA, SCHNEIDER, and RIGNEY by implementing the VLANS identifiers in BRYKSA and SCHNEIDER with the VXLANs disclosed in MENACHEM.  Based on the KSR v. TELEFLEX rationale, such an addition uses known methods (allocating more bits to address identifier data) to produce a predictable result (having more virtual network identifiers). 
Claim(s) 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of Gan et al. CN107800539A1 hereafter GAN
As to Claim 15
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 14,” (as above)
In addition, the combination of BRYKSA, SCHNEIDER, and RIGNEY teaches “wherein the inputs used in the calculation of the one or more second outputs ; ( SCHNEIDER 0024. “A server MAC module 122 looks up the encrypted password [i.e. one or more stored passphrases] based on the username, calculates a MAC [i.e. one or more second outputs of the cryptographic calculation] over the first three values in the request [inputs]. )
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not teach “wherein the inputs used in the calculation of the one or more second outputs comprise a given identifier of a given network.”  
However, in an analogous art of secure wireless network connections GAN teaches: “wherein the inputs used in the calculation of the one or more second outputs comprise a given identifier of a given network.” (GAN p. 7 paras. 17-19; According to communication shared key K_com or session key K_session, the first random parameter and the second random parameter, Generate the 2nd MAC. Wherein：K_com=H (e (xH (ID1), H (ID2)) ^ { H (parameter 1) }), wherein, parameter 1 can be service identifiers, sectionMark, link identification, connection identifier, sessionidentification, service network identification [i.e. given identifier of a given network], public land mobile network mark, the first user markKnow and at least one in second user mark；H () algorithm is Hash ()algorithm or HMAC () algorithm.)
BRYKSA, SCHNEIDER, RIGNEY, and GAN are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the system disclosed in BRYKSA, SCHNEIDER, and RIGNEY by adding network identifier information disclosed GAN to the passphrase parameters of BRYKSA and SCHNEIDER, as an input to the MAC function. Based on the KSR v. TELEFLEX rationale, such an implementation uses known methods (hashing (or taking a MAC function of) multiple data such as random numbers, network addresses, or other identifying information) to produce a predictable result (guaranteeing uniqueness of keys based on the identifying information of the keys).   
Claim(s) 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over BRYKSA in view of SCHNEIDER in view of RIGNEY in further view of Kotay et al. US 2019/0182666 Al hereafter KOTAY
As to Claim 16
The combination of BRYKSA, SCHNEIDER, and RIGNEY teaches: “The electronic device of claim 4,” (as above) 
In addition, BRYKSA teaches “stored passphrases” (“10receiving an access request associated with the computer” (“The RADIUS server 122 [i.e. the electronic device] stores valid access credentials in a credential database [stored passphrases] 123 and is queried by access points (APs) [i.e. the computer] 132 at the hotspot when authenticating received access credentials from client devices 130 requesting association with the hotel's secure wireless network 142.” BRYKSA Col. 12, ll. 3-8.)
The combination of BRYKSA, SCHNEIDER, and RIGNEY does not teach: “wherein the one or more stored passphrases are organized based at least in part on identifiers of different networks.”
However, in an analogous art of secure wireless network connections KOTAY teaches:“wherein the one or more stored passphrases are organized based at least in part on identifiers of different networks.” (KOTAY 0027; “The token may contain data that identifies one or more of the user device, the user, and/or the first network. The validation server may maintain a database of user accounts and network credentials associated with those user accounts. The network credentials may include, identifiers (e.g., network identifiers, service identifiers, SSIDs, etc. . . . ), passcodes, passwords, and the like for networks associated with users of the user accounts. Whenever network credentials are required to access a network(s) (e.g., the first network), such as when a change is made to an identifier, a passcode, a password, combinations thereof, and the like to the network(s), the changes may be transmitted to the validation server, The validation server may associate the network credentials with the user/user account and/or stored the network credentials for later use.” NOTE: Examiner submits that a database organizes the different network identifers.)
BRYKSA, SCHNEIDER, RIGNEY, and KOTAY are from similar technology relating to secure network access and authentication. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify the database disclosed in BRYKSA, SCHNEIDER and RIGNEY by taking advantage of the flexibility and organizational abilities of a database system as disclosed in KOTAY. In essence all that is needed is to add a column of data to the credential database of BRYKSA to achieve the combination.  Based on the KSR v. TELEFLEX rationale, using a database in such a way to query on network credentials uses known methods (using a database) to produce a predictable result (having more control over the manipulation of stored data).    
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Humble US-20190303561-A1 discloses cryptographic calculations using random number salts concatenated to user passwords and then hashed as a means of storing passphrases. 
Sierra et al. US 2019/0312726 Al discusses group identifiers being used in wireless authentications. 
Shen et al. US 2018/0041360 A1 discloses VLAN usage in conjunction with hashing VLAN addresses for multi-casting over a fibre network. 
Sethi et al. US 2007/0094356 A1 discloses context aware profiling for wireless networks. 
Windsor et al. US 11,451,959 B2 authenticates clients in wireless communications with a pre-shared key. 
Olshansky et al. US 10,873,858 B2 implements a zone migration system in the context of a hotel wireless network. 
Peyravian US-6363154-B1 teaches methods for hashing  inputs to cryptographic functions. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT MATIJASEC whose telephone number is (571)272-6314. The examiner can normally be reached on M-THU 9AM-6PM and FRI 9AM-1PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw, can be reached at telephone number 571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
/R.M./Examiner, Art Unit 2498           

/YIN CHEN SHAW/Supervisory Patent Examiner, Art Unit 2498