SECURE MULTI-ENTERPRISE WIRELESS NETWORK

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 12 and 20 are amended. Claims 1, 4-15, 18-24 are pending. Response to Arguments Applicant's arguments filed 07/17/2025 have been fully considered but they are not persuasive. Because applicant argues that “Zhang/Zhang does not maintain such associations between MAC addresses and authentication servers, which correspond to different enterprises, for 802.1X authentication that inform to which authentication server to forward authentication messages transmitted by a client. While Zhang/Zhang may mention MAC addresses and authentication servers such as RADIUS servers, Zhang/Zhang is silent regarding support of authentication of clients to various authentication servers that correspond to different enterprises and authenticate according to 802.1X authentication….The network controller "caches the current authentication status received from the authentication device/server."5 Determining a prior authentication result associated with a wireless client device based on a cached MAC addresses and corresponding authentication status information as in Zhang does not disclose performing a lookup with a MAC address in maintained associations between MAC addresses associated with devices and indications of a plurality of authentication servers corresponding to the devices maintained by the network device as claim 1 recites. This also does not disclose that each of the plurality of authentication servers is associated with a different one of a plurality of enterprises and authenticates clients according to 802.1X authentication as claim 1 also recites….For instance, authentication status information in Zhang indicates whether a prior authentication of a device was successful or unsuccessful.6 There is no disclosure or implication in Zhang that the cached MAC addresses and authentication status information indicates authentication servers corresponding to a plurality of different enterprises and authenticates clients according to 802.1X authentication, and an indication of whether prior authentication of a device was successful or unsuccessful does not inform to which of a plurality of authentication servers associated with different enterprises a client device corresponds. As is evident from this teaching in Zhang, none of these cache fields constitute an indication of an authentication server that corresponds to one of a plurality of different enterprises and authenticates clients according to 802.1X authentication. Zhang does not even imply that the remote server 210 corresponds to one of a plurality of different enterprises and authenticates clients according to 802.1X authentication, nor does the network controller in Zhang that maintains the cache communicate with a plurality of authentication servers that authenticate clients according to 802.1X authentication and correspond to different enterprises. Zhang is silent regarding association of remote servers with various enterprises…”. Examiner respectfully disagree because Zhang (US 2016/0087954 A1) disclose in paragraph [0042], before accessing a network resource, client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status (=maintaining the association) along with the MAC address of one or more stored/registered/applicable client devices 102. Examiner interpreting the “authentication status” as “indications of a plurality of authentication servers corresponding to the devices maintained by the network device” i.e successful or unsuccessful indication which is coming from the remote server (=which also can be a RADIUS server). Zhang disclose “performing look up to determine whether the client device is authorized to access requested resource cited in the paragraph [0059], by performing a lookup based on the client device's MAC address”. At step 406, the network controller can authenticate the client device based on the current authentication status received from the remote server (=authentication serve) such that if the current authentication status indicates successful authentication which is interpreted as “indications of a plurality of authentication servers corresponding to the devices maintained by the network device”. Applicant argues that Zhang is silent regarding association of remote servers with various enterprises…”. Examiner respectfully disagree because Zhang-8638 disclose in [0051], For example, such a Tracking_Tag string or text can contain information for identifying an authentication session performed between the mobile device 302 and the authentication server 306, such as the FQDN or IP address of the authentication server 306, the MAC address of the mobile device 302, and a unique session identifier generated by the authentication server 306.“ which can show the FQDN/IP address of authentication server which is unique for the each enterprise and forward authentication message where it belong. Furthermore in paragraph [0052], In an exemplary implementation, network controller 206 maintains a mapping of the current (last known) authentication status associated with client device 202 against its MAC address in the form of a database, a table or the like (=examiner interpreting that the mapping of the MAC address and its status is maintain in a database or a table). In the context of the present example, cache 208 is conceptually illustrated in the form of a table, which may have fields including, but not limiting to, the MAC address of the client device, current authentication status as received from remote server 210… Additionally, in paragraph [0055], In an aspect, multiple entries for the same client device 202 can be created to maintain a log of prior authentication status, or alternatively the current authentication status can replace/overwrite the prior authentication status so that only the latest status is stored in cache 208. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 7-8, 10, 13-15, 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”) Regarding Claim 1, Zhang teaches: detecting, by a network device which makes available a wireless network, a first request transmitted by a first device (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device. [0038] According to one embodiment, a wireless network controller is provided having a client request receive module configured to receive an authentication request relating to a wireless client device from a wireless access point (AP) coupled to a wireless local area network (WLAN) and managed by the wireless network controller) wherein the wireless network is secured with Wi-Fi protected access (WPA)-Enterprise security (Zhang: [0050], the current authentication status can be provided by a remote authentication device 108, such as a Remote Authentication Dial-in User Service (RADIUS) server 108-3, or by a Terminal Access Controller Access-Control System (TACACS) server, or by a Lightweight Directory Access Protocol (LDAP) server 108-1, or by any remote authentication server that can be configured to provide authentication in addition to other authentication methods, such as OPEN, WPA-personal and WPA-enterprise.) determining first network information associated with the first device that is indicated in the first request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device. [0042], client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status along with the MAC address (=network information) of one or more stored/registered/applicable client devices 102)); wherein the first network information comprises a first media access control (MAC) address associated with the first device (Zhang: [0058], client request receive module 304 can be configured to receive an authentication request relating to a wireless client device from a wireless AP coupled to a WLAN and that is managed by the wireless network controller 302. In an instance, when the client device changes its location from a first AP to a second AP, the client device may be required to send an authentication request, including its MAC address or any other device identifier (=network information), to the controller 302) ; performing, by the network device, a first look up with the first MAC address on associations between MAC addresses associated with devices (Zhang: [0059], by performing a lookup based on the client device's MAC address or issuing a suitable query based on the MAC address. When no authentication record is present in the cache, the authentication request can be forwarded by controller 302 to a remote authentication server; otherwise the authentication request can be initially processed locally by controller 302 based on the existing cache record) and indications of a plurality of authentication servers corresponding to the devices maintained by the network device (Zhang: [0064], Assuming that there is no prior authentication result/record available within the cache of the network controller, at step 404, the network controller can send the authentication request to a remote server to provide a current authentication status associated with the client device. At step 406, the network controller can authenticate the client device based on the current authentication status received from the remote server such that if the current authentication status indicates successful authentication, the client device is allowed access to the WLAN or resources therein; otherwise, if the current authentication status is unsuccessful, the client device can be denied access to the WLAN or otherwise be de-authenticated), wherein each of the plurality of authentication servers is associated with a different one of a plurality of enterprises (Zhang: [0007] In a typical enterprise setup, there may be several APs installed throughout the enterprise network (which may be referred to as a WLAN) to provide access to information/data to client devices connected from within the enterprise network or from outside the enterprise network (=plurality of authentication servers). A WLAN allows end users/client device to access a corporate intranet and/or the Internet to manage e-mails, schedule meetings, and access files and applications/resources on the corporate or university or enterprise network from anywhere such as from conference rooms, classrooms, co-workers' desks, the cafeteria or virtually from anywhere within the campus. To manage these APs and/or to grant access to the device connecting through the APs, a centralized network controller is typically configured, wherein one or more APs connect to the centralized network controller to authenticate client devices that are connected to (or are attempting to connect to) the enterprise network using the Aps) and authenticates clients according to 802.1X authentication (Zhang 7954: [0011] It has been recognized that vulnerabilities exist in the authentication methods and data privacy schemes provided by 802.11. To end that, IEEE has adopted 802.1X as a new standard for session authentication on wired and wireless networks. This standard can provide WLANs with strong, mutual authentication between a client and an authentication server); determining if a result of the first lookup with the first MAC address indicates one of the plurality of authentication servers (Zhang: [0034], Based on the received authentication request, the wireless network controller determines whether a prior authentication result associated with the wireless client device is present in a cache of the wireless network controller, and permits the wireless client device to access the WLAN via the AP when the prior authentication result (=result of the first lookup) is present and the prior authentication result indicates that the wireless client device was previously successfully authenticated).) and based on determining that the result of the first lookup indicates a first of the plurality of authentication servers (Zhang: [0052], network controller 206 maintains a mapping of the current (last known) authentication status associated with client device 202 against its MAC address in the form of a database, a table or the like. In the context of the present example, cache 208 is conceptually illustrated in the form of a table, which may have fields including, but not limiting to, the MAC address of the client device, current authentication status as received from remote server 210, and a timestamp of the last update received from remote server 210), Zhang does not explicitly disclose: forwarding authentication messages subsequently transmitted by the first device to the first authentication server for authentication of the first device to the first authentication server according to 802.1X authentication. However in an analogous art Zhang-8638 teaches: forwarding authentication messages subsequently transmitted by the first device to the first authentication server (Zhang-8638: [0028], By having the wireless access point echo the same tracking tag in each subsequent authentication message that it forwards to the authentication server in the authentication session…) for authentication of the first device to the first authentication server according to 802.1X authentication (Zhang-8638: [0029], the wireless access point 102 can be deployed within a wireless local area network (WLAN) such as a Wi-Fi network 108 that conforms to one or more of the Institute of Electrical and Electronic Engineers (IEEE) 802.11 series of standards…The Wi-Fi-enabled device 104 can be a Wi-Fi-enabled smartphone, tablet computer, laptop computer, or any other suitable Wi-Fi-enabled device. Further, the Wi-Fi controller 110 can be configured to support Hotspot 2.0, which is a technology based on the IEEE 802.11u, 802.11i, and 802.1x standards and…the local and remote ANQP servers 106, 114 can each be configured to conform to the Remote Authentication Dial-In User Service (RADIUS) protocol defined in RFC 2865 Remote Authentication Dial In User Service (RADIUS)…) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of forwarding each subsequent authentication message to the authentication server in the authentication session. The motivation is to determine the authentication session to which the respective authentication messages belong and facilitating subsequent troubleshooting of the authentication session in the event of an unexpected failure (Zhang-8638: [Abstract]). Regarding Claim 7, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), based on determining that the result does not indicate one of the plurality of authentication servers, terminating a connection between the network device and the first device (Zhang: [0045], On the other hand, if the current authentication status received from remote authentication device 108 by the wireless network controller 106 represents an unsuccessful authentication of wireless client device 104, wireless network controller 106 may direct AP 104 to immediately revoke access to the WLAN by wireless client device 102). Regarding Claim 8, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), wherein the network device comprises an access point, wherein the first request comprises an association request, wherein determining the first network information comprises determining the first network information from the association request. (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device), Regarding Claim 10, Zhang teaches: One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to (ZANG: [0068] Embodiments of the present disclosure include various steps, which have been described in detail above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware): This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 10. Regarding Claim 13, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), based on a determination that the result of the lookup does not indicate one of the authentication servers, terminate communication with the first client (Zhang: [0061], if the current authentication status received from remote authentication server by the network controller 302 represents an unsuccessful authentication of client device in context, the AP can immediately revoke access of the client device to the WLAN and also update the cache accordingly so that the device is not authentically by local authentication by the controller's cache). Regarding Claim 14, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), wherein the first request comprises an association request, and wherein the instructions to determine the first MAC address comprise instructions to determine the first MAC address from the association request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device) Regarding Claim 15, Zhang teaches: An access point comprising (Zhang: [0041] FIG. 1 illustrates an exemplary wireless network architecture 100 in accordance with an embodiment of the present invention. As illustrated, architecture 100 of FIG. 1 can include one or more access points such as access point-1 104-1, access point-2 104-2, and access point-3 104-3, which may be collectively and interchangeably referred to as access point (AP) 104 hereinafter, which are configured to provide wireless connectivity to one or more wireless client devices, such as client device 102-1, 102-2, and so on, which may be collectively referred to as client device(s) 102 hereinafter. [0043] As illustrated, each AP 104 can be configured to provide wireless connectivity to a WLAN to one or more client devices 102 that are within range. For instance, access point-1 104-1 can provide wireless access to client device 102-1, client device 102-2, client device 102-3, and client device 102-4. Similarly, access point-2 104-2 can provide wireless access to client device 102-5, client device 102-6, client device 102-7, and client device 102-8, and so on. In an example implementation, network controller 106 can be operatively coupled with APs 104 using a wireless interface and/or through a wired interface): a processor (Zhang: [0070] Examples of processor 605 include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOC™ system on a chip processors or other future processors. Processor 605 may include various modules associated with monitoring unit as described in FIGS. 2-4) and a computer-readable medium having instructions stored thereon that are executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware),to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (Apparatus medium). For this reason the same grounds of rejection are applied to claim 15. Regarding Claim 22, Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), The above cited combination of Zhang in view Zhang-8638 does not explicitly disclose: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address for each of the plurality of authentication servers Furthermore, Zhang-8638 teaches: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address for each of the plurality of authentication servers (Zhang-8638: [0042], Tracking_Tag (=indications of the plurality of authentication server): [ANQP Server FQDN/IP addr], [Mobile Device MAC addr], [Session ID], (1) in which “ANQP Server FQDN/IP addr” corresponds to the Fully Qualified Domain Name (FQDN) or Internet protocol (IP) address of the authentication server 306, “Mobile Device MAC addr” corresponds to the MAC address of the mobile device 302, and “Session ID” corresponds to a unique session identifier generated by the authentication server 306. It is noted that the string, Tracking_Tag (=indications of the plurality of authentication server), can alternatively include any other suitable information for identifying the authentication session performed between the mobile device 302 and the authentication server 306). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of identifying an authentication session information such as FQDN or IP address of the authentication server. The motivation is to tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks (Zhang-8638: [0028]). Regarding Claim 23, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), further comprising instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) maintain the associations between the MAC addresses associated with client devices and indications of the plurality of authentication servers (Zhang: [0037] In an aspect, the remote authentication device can include one or a combination of a remote server, a Remote Authentication Dial-in User Service (RADIUS) server, Terminal Access Controller Access-Control System (TACACS) server and a Lightweight Directory Access Protocol (LDAP) server. In another aspect, the authentication request can include a Media Access Control (MAC) address of the wireless client device. In yet another aspect, the remote authentication device can store therein, information associating the MAC address of the wireless client device with the current authentication status of the wireless client device. In another aspect, the cache can stored therein, information associating the MAC address of the wireless client device with the prior authentication result. In yet another aspect, the authentication request can include a network access identifier indicative of a device signature of the wireless client device), The above cited combination of Zhang in view Zhang-8638 does not explicitly disclose: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address of each of the plurality of authentication servers Furthermore, Zhang-8638 teaches: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address of each of the plurality of authentication servers (Zhang-8638: [0028], tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks [0051], such a Tracking_Tag string or text can contain information for identifying an authentication session performed between the mobile device 302 and the authentication server 306, such as the FQDN or IP address of the authentication server 306, the MAC address of the mobile device 302, and a unique session identifier generated by the authentication server 306.). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of identifying an authentication session information such as FQDN or IP address of the authentication server. The motivation is to tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks (Zhang-8638: [0028]). Regarding Claim 24, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), wherein the first request comprises an association request (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) and wherein the instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device)determine the first network information associated with the first client device from the first request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device) comprise instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) to determine the first network information from the association request (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device). Claim(s) 4 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”); and further in view of Montemurro et al (US 2017/0311142 A1) (hereinafter “Montemurro). Regarding Claim 4, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), The above cited combination of Zhang in view of Zhang-8638 does not explicitly disclose: wherein the wireless network is a hidden wireless network. However, in an analogous art, Montemurro teaches: wherein the wireless network is a hidden wireless network (Montemurro: [0037], provides for the scanning that can be performed by the wireless device 102 can include scanning for hidden networks. A hidden network is a wireless network that is set to not broadcast its name (or SSID). To perform discovery of a hidden network, the wireless device 102 broadcasts both the name of the wireless network that the wireless device is looking for, as well as the wireless device's name, and security credentials for the hidden network. If the hidden network is in range, then the wireless device 102 can associate with the hidden network). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). Claim(s) 5-6, 11-12, 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”) and Montemurro et al (U. S. PGPub 2017/0311142 A1) (hereinafter “Montemurro”); and in further view of Windsor et al (U.S. PGPub. 2021/0099873 A1) (hereinafter “Windsor”). Regarding Claim 5, the Zhang in view of Zhang-8638 and Montemurro teaches: The method of claim 4 (see rejection of claim 4 above), The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not disclose: wherein determining the first network information comprises determining from the first request an SSID provided by the first device and the first MAC address associated with the first device. However, in an analogous art, Windsor teaches: wherein determining the first network information comprises determining from the first request an SSID provided by the first device and a MAC address associated with the first device (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Montemurro by applying the well-known technique as disclosed by Windsor of determining SSID and MAC address of the first device in order to improve wireless communication networks by providing additional wireless access points for load balancing purpose. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 6, the Zhang in view of Zhang-8638, Montemurro and Windsor teaches: The method of claim 5 (see rejection of claim 5 above), The above cited combination of Zhang in view of Zhang-8638, Montemurro and Windsor does not explicitly disclose: Wherein the associations further comprise SSIDs corresponding to each of the MAC address of the devices, Wherein performing a lookup with the SSID and the MAC address on associations between the indications of the plurality of authentication servers and pairs of MAC addresses and SSIDs. However, Windsor teaches: Wherein the associations further comprise SSIDs corresponding to each of the MAC address of the devices (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination (=pair)of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK.); performing a lookup with the SSID and the MAC address on associations between the indications of the plurality of authentication servers and pairs of MAC addresses and SSIDs (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination (=pair)of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK.); A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Montemurro by applying the well-known technique as disclosed by Windsor of performing lookup for authentication server and pair of SSIDs and MAC address in order to improve wireless communication networks by providing additional wireless access points for load balancing purpose. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 11, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), The above cited combination of Zhang in view of Zhang-8638 does not explicitly disclose: wherein the wireless network is a hidden wireless network, and wherein the instructions to determine the first MAC address further comprise instructions to determine a first service set identifier (SSID) indicated in the first request. However, Montemurro teaches: wherein the wireless network is a hidden wireless network (Montemurro: [0037] In further examples, the scanning that can be performed by the wireless device 102 can include scanning for hidden networks. A hidden network is a wireless network that is set to not broadcast its name (or SSID). To perform discovery of a hidden network, the wireless device 102 broadcasts both the name of the wireless network that the wireless device is looking for, as well as the wireless device's name, and security credentials for the hidden network. If the hidden network is in range, then the wireless device 102 can associate with the hidden network), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not explicitly teaches: wherein the instructions to determine the first MAC address (Windsor: [0033], The authentication request includes a first message integrity code (MIC) of a client-specific pre-shared key, which was generated using a pair-wise master key (PMK) known to the client device and attributes including a media access control (MAC) address of the access point, a nonce value of the access point, a MAC address of the client device and a nonce value of the client device. In response to receipt of the authentication request, the authentication server validates the first MIC by receiving the attributes from the access point or the wireless LAN controller… The client-specific pre-shared key known to the authentication server can be extracted from a key database including various entries, where each entry includes any or a combination of a MAC address of a specific client device, a service set identifier (SSID) of the access point, a client-specific pre-shared key assigned by the authentication server to the specific client device and a PMK known to the authentication server. The authentication server validates the client-specific pre-shared key to be authentic when the first MIC matches with the second MIC.) further comprise instructions to determine a first service set identifier (SSID) indicated in the first request (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638, and Montemurro by applying the well-known technique as disclosed by Windsor of determining first MAC address and first SSID in order to validate client by an authentication server based on SSID and MAC address. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 12, the Zhang in view of Zhang-8638, Montemurro and Windsor teaches: The non-transitory machine-readable media of claim 11 (see rejection of claim 11 above), The above cited combination of the combination of Zhang in view of Zhang-8638, Montemurro and Windsor does not disclose: wherein the associations further comprise SSIDs corresponding to each of the MAC addresses of the clients, and wherein the instructions to perform the lookup comprise instructions to perform the lookup with the first MAC address and the first SSID on associations between pairs of the MAC addresses and the SSIDs of the clients and the authentication servers to which the clients are to authenticate for enterprise authentication. However, Windsor teaches: wherein the associations further comprise SSIDs corresponding to each of the MAC addresses of the clients (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK), and wherein the instructions to perform the lookup comprise instructions to perform the lookup with the first MAC address and the first SSID on associations between pairs of the MAC addresses and the SSIDs of the clients (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK); and the authentication servers to which the clients are to authenticate for enterprise authentication (Windsor: [0047], In network architecture 200, an authentication server 206 can be used to authenticate various computing devices associated with a network 204 before providing them with access to a wireless network. Client devices 208-1, 208-2 . . . 208-N (which may be collectively referred to as client devices 208 and individually referred to as client device 208, hereinafter) within network 204 are representative of the various computing devices that might be authenticated by authentication server 206. [0060] FIG. 4 is a sequence diagram 400 illustrating interactions among a client device 402, an access point 404 and an authentication server 406 to authenticate the client device in accordance with an embodiment of the present invention). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638, and Montemurro by applying the well-known technique as disclosed by Windsor of authentication the client of an enterprise in order to get access in enterprise network. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 18, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), and wherein the instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device), to determine the first network information (Zhang: [0037], the authentication request can include a Media Access Control (MAC) address (=network information) of the wireless client device. [0042], client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status along with the MAC address (=network information) of one or more stored/registered/applicable client devices 102), comprise instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device); The above cited combination of Zhang in view of Zhang-8638 does not disclose: wherein the access point makes available a hidden wireless network. However, Montemurro teaches: wherein the access point makes available a hidden wireless network (Montemurro: [Abstract], a wireless network includes a wireless local area network (WLAN), which has access points (APs) with which wireless devices are able to wirelessly connect to perform communications of data. [0007], A WLAN can include one or more access points (APs). An AP refers to a network node with which wireless devices are able to establish wireless connections such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not explicitly disclose: wherein determine the first network information comprises determine from the first request a SSID provided by the first client device and the MAC address associated with the first client device However, Windsor teaches: wherein determine the first network information comprises determine from the first request a SSID provided by the first client device and the MAC address associated with the first client device (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective fili