SECURE MULTI-ENTERPRISE WIRELESS NETWORK

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Claims 12 and 20 are amended. Claims 1, 4-15, 18-24 are pending. Response to Arguments Applicant's arguments filed 07/17/2025 have been fully considered but they are not persuasive. Because applicant argues that “Zhang/Zhang does not maintain such associations between MAC addresses and authentication servers, which correspond to different enterprises, for 802.1X authentication that inform to which authentication server to forward authentication messages transmitted by a client. While Zhang/Zhang may mention MAC addresses and authentication servers such as RADIUS servers, Zhang/Zhang is silent regarding support of authentication of clients to various authentication servers that correspond to different enterprises and authenticate according to 802.1X authentication….The network controller "caches the current authentication status received from the authentication device/server."5 Determining a prior authentication result associated with a wireless client device based on a cached MAC addresses and corresponding authentication status information as in Zhang does not disclose performing a lookup with a MAC address in maintained associations between MAC addresses associated with devices and indications of a plurality of authentication servers corresponding to the devices maintained by the network device as claim 1 recites. This also does not disclose that each of the plurality of authentication servers is associated with a different one of a plurality of enterprises and authenticates clients according to 802.1X authentication as claim 1 also recites….For instance, authentication status information in Zhang indicates whether a prior authentication of a device was successful or unsuccessful.6 There is no disclosure or implication in Zhang that the cached MAC addresses and authentication status information indicates authentication servers corresponding to a plurality of different enterprises and authenticates clients according to 802.1X authentication, and an indication of whether prior authentication of a device was successful or unsuccessful does not inform to which of a plurality of authentication servers associated with different enterprises a client device corresponds. As is evident from this teaching in Zhang, none of these cache fields constitute an indication of an authentication server that corresponds to one of a plurality of different enterprises and authenticates clients according to 802.1X authentication. Zhang does not even imply that the remote server 210 corresponds to one of a plurality of different enterprises and authenticates clients according to 802.1X authentication, nor does the network controller in Zhang that maintains the cache communicate with a plurality of authentication servers that authenticate clients according to 802.1X authentication and correspond to different enterprises. Zhang is silent regarding association of remote servers with various enterprises…”. Examiner respectfully disagree because Zhang (US 2016/0087954 A1) disclose in paragraph [0042], before accessing a network resource, client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status (=maintaining the association) along with the MAC address of one or more stored/registered/applicable client devices 102. Examiner interpreting the “authentication status” as “indications of a plurality of authentication servers corresponding to the devices maintained by the network device” i.e successful or unsuccessful indication which is coming from the remote server (=which also can be a RADIUS server). Zhang disclose “performing look up to determine whether the client device is authorized to access requested resource cited in the paragraph [0059], by performing a lookup based on the client device's MAC address”. At step 406, the network controller can authenticate the client device based on the current authentication status received from the remote server (=authentication serve) such that if the current authentication status indicates successful authentication which is interpreted as “indications of a plurality of authentication servers corresponding to the devices maintained by the network device”. Applicant argues that Zhang is silent regarding association of remote servers with various enterprises…”. Examiner respectfully disagree because Zhang-8638 disclose in [0051], For example, such a Tracking_Tag string or text can contain information for identifying an authentication session performed between the mobile device 302 and the authentication server 306, such as the FQDN or IP address of the authentication server 306, the MAC address of the mobile device 302, and a unique session identifier generated by the authentication server 306.“ which can show the FQDN/IP address of authentication server which is unique for the each enterprise and forward authentication message where it belong. Furthermore in paragraph [0052], In an exemplary implementation, network controller 206 maintains a mapping of the current (last known) authentication status associated with client device 202 against its MAC address in the form of a database, a table or the like (=examiner interpreting that the mapping of the MAC address and its status is maintain in a database or a table). In the context of the present example, cache 208 is conceptually illustrated in the form of a table, which may have fields including, but not limiting to, the MAC address of the client device, current authentication status as received from remote server 210… Additionally, in paragraph [0055], In an aspect, multiple entries for the same client device 202 can be created to maintain a log of prior authentication status, or alternatively the current authentication status can replace/overwrite the prior authentication status so that only the latest status is stored in cache 208. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 7-8, 10, 13-15, 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”) Regarding Claim 1, Zhang teaches: detecting, by a network device which makes available a wireless network, a first request transmitted by a first device (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device. [0038] According to one embodiment, a wireless network controller is provided having a client request receive module configured to receive an authentication request relating to a wireless client device from a wireless access point (AP) coupled to a wireless local area network (WLAN) and managed by the wireless network controller) wherein the wireless network is secured with Wi-Fi protected access (WPA)-Enterprise security (Zhang: [0050], the current authentication status can be provided by a remote authentication device 108, such as a Remote Authentication Dial-in User Service (RADIUS) server 108-3, or by a Terminal Access Controller Access-Control System (TACACS) server, or by a Lightweight Directory Access Protocol (LDAP) server 108-1, or by any remote authentication server that can be configured to provide authentication in addition to other authentication methods, such as OPEN, WPA-personal and WPA-enterprise.) determining first network information associated with the first device that is indicated in the first request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device. [0042], client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status along with the MAC address (=network information) of one or more stored/registered/applicable client devices 102)); wherein the first network information comprises a first media access control (MAC) address associated with the first device (Zhang: [0058], client request receive module 304 can be configured to receive an authentication request relating to a wireless client device from a wireless AP coupled to a WLAN and that is managed by the wireless network controller 302. In an instance, when the client device changes its location from a first AP to a second AP, the client device may be required to send an authentication request, including its MAC address or any other device identifier (=network information), to the controller 302) ; performing, by the network device, a first look up with the first MAC address on associations between MAC addresses associated with devices (Zhang: [0059], by performing a lookup based on the client device's MAC address or issuing a suitable query based on the MAC address. When no authentication record is present in the cache, the authentication request can be forwarded by controller 302 to a remote authentication server; otherwise the authentication request can be initially processed locally by controller 302 based on the existing cache record) and indications of a plurality of authentication servers corresponding to the devices maintained by the network device (Zhang: [0064], Assuming that there is no prior authentication result/record available within the cache of the network controller, at step 404, the network controller can send the authentication request to a remote server to provide a current authentication status associated with the client device. At step 406, the network controller can authenticate the client device based on the current authentication status received from the remote server such that if the current authentication status indicates successful authentication, the client device is allowed access to the WLAN or resources therein; otherwise, if the current authentication status is unsuccessful, the client device can be denied access to the WLAN or otherwise be de-authenticated), wherein each of the plurality of authentication servers is associated with a different one of a plurality of enterprises (Zhang: [0007] In a typical enterprise setup, there may be several APs installed throughout the enterprise network (which may be referred to as a WLAN) to provide access to information/data to client devices connected from within the enterprise network or from outside the enterprise network (=plurality of authentication servers). A WLAN allows end users/client device to access a corporate intranet and/or the Internet to manage e-mails, schedule meetings, and access files and applications/resources on the corporate or university or enterprise network from anywhere such as from conference rooms, classrooms, co-workers' desks, the cafeteria or virtually from anywhere within the campus. To manage these APs and/or to grant access to the device connecting through the APs, a centralized network controller is typically configured, wherein one or more APs connect to the centralized network controller to authenticate client devices that are connected to (or are attempting to connect to) the enterprise network using the Aps) and authenticates clients according to 802.1X authentication (Zhang 7954: [0011] It has been recognized that vulnerabilities exist in the authentication methods and data privacy schemes provided by 802.11. To end that, IEEE has adopted 802.1X as a new standard for session authentication on wired and wireless networks. This standard can provide WLANs with strong, mutual authentication between a client and an authentication server); determining if a result of the first lookup with the first MAC address indicates one of the plurality of authentication servers (Zhang: [0034], Based on the received authentication request, the wireless network controller determines whether a prior authentication result associated with the wireless client device is present in a cache of the wireless network controller, and permits the wireless client device to access the WLAN via the AP when the prior authentication result (=result of the first lookup) is present and the prior authentication result indicates that the wireless client device was previously successfully authenticated).) and based on determining that the result of the first lookup indicates a first of the plurality of authentication servers (Zhang: [0052], network controller 206 maintains a mapping of the current (last known) authentication status associated with client device 202 against its MAC address in the form of a database, a table or the like. In the context of the present example, cache 208 is conceptually illustrated in the form of a table, which may have fields including, but not limiting to, the MAC address of the client device, current authentication status as received from remote server 210, and a timestamp of the last update received from remote server 210), Zhang does not explicitly disclose: forwarding authentication messages subsequently transmitted by the first device to the first authentication server for authentication of the first device to the first authentication server according to 802.1X authentication. However in an analogous art Zhang-8638 teaches: forwarding authentication messages subsequently transmitted by the first device to the first authentication server (Zhang-8638: [0028], By having the wireless access point echo the same tracking tag in each subsequent authentication message that it forwards to the authentication server in the authentication session…) for authentication of the first device to the first authentication server according to 802.1X authentication (Zhang-8638: [0029], the wireless access point 102 can be deployed within a wireless local area network (WLAN) such as a Wi-Fi network 108 that conforms to one or more of the Institute of Electrical and Electronic Engineers (IEEE) 802.11 series of standards…The Wi-Fi-enabled device 104 can be a Wi-Fi-enabled smartphone, tablet computer, laptop computer, or any other suitable Wi-Fi-enabled device. Further, the Wi-Fi controller 110 can be configured to support Hotspot 2.0, which is a technology based on the IEEE 802.11u, 802.11i, and 802.1x standards and…the local and remote ANQP servers 106, 114 can each be configured to conform to the Remote Authentication Dial-In User Service (RADIUS) protocol defined in RFC 2865 Remote Authentication Dial In User Service (RADIUS)…) It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of forwarding each subsequent authentication message to the authentication server in the authentication session. The motivation is to determine the authentication session to which the respective authentication messages belong and facilitating subsequent troubleshooting of the authentication session in the event of an unexpected failure (Zhang-8638: [Abstract]). Regarding Claim 7, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), based on determining that the result does not indicate one of the plurality of authentication servers, terminating a connection between the network device and the first device (Zhang: [0045], On the other hand, if the current authentication status received from remote authentication device 108 by the wireless network controller 106 represents an unsuccessful authentication of wireless client device 104, wireless network controller 106 may direct AP 104 to immediately revoke access to the WLAN by wireless client device 102). Regarding Claim 8, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), wherein the network device comprises an access point, wherein the first request comprises an association request, wherein determining the first network information comprises determining the first network information from the association request. (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device), Regarding Claim 10, Zhang teaches: One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to (ZANG: [0068] Embodiments of the present disclosure include various steps, which have been described in detail above. A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware): This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (non-transitory medium). For this reason the same grounds of rejection are applied to claim 10. Regarding Claim 13, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), based on a determination that the result of the lookup does not indicate one of the authentication servers, terminate communication with the first client (Zhang: [0061], if the current authentication status received from remote authentication server by the network controller 302 represents an unsuccessful authentication of client device in context, the AP can immediately revoke access of the client device to the WLAN and also update the cache accordingly so that the device is not authentically by local authentication by the controller's cache). Regarding Claim 14, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), wherein the first request comprises an association request, and wherein the instructions to determine the first MAC address comprise instructions to determine the first MAC address from the association request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device) Regarding Claim 15, Zhang teaches: An access point comprising (Zhang: [0041] FIG. 1 illustrates an exemplary wireless network architecture 100 in accordance with an embodiment of the present invention. As illustrated, architecture 100 of FIG. 1 can include one or more access points such as access point-1 104-1, access point-2 104-2, and access point-3 104-3, which may be collectively and interchangeably referred to as access point (AP) 104 hereinafter, which are configured to provide wireless connectivity to one or more wireless client devices, such as client device 102-1, 102-2, and so on, which may be collectively referred to as client device(s) 102 hereinafter. [0043] As illustrated, each AP 104 can be configured to provide wireless connectivity to a WLAN to one or more client devices 102 that are within range. For instance, access point-1 104-1 can provide wireless access to client device 102-1, client device 102-2, client device 102-3, and client device 102-4. Similarly, access point-2 104-2 can provide wireless access to client device 102-5, client device 102-6, client device 102-7, and client device 102-8, and so on. In an example implementation, network controller 106 can be operatively coupled with APs 104 using a wireless interface and/or through a wired interface): a processor (Zhang: [0070] Examples of processor 605 include, but are not limited to, an Intel® Itanium® or Itanium 2 processor(s), or AMD® Opteron® or Athlon MP® processor(s), Motorola® lines of processors, FortiSOC™ system on a chip processors or other future processors. Processor 605 may include various modules associated with monitoring unit as described in FIGS. 2-4) and a computer-readable medium having instructions stored thereon that are executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware),to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) This claim contains identical limitations found within that of claim 1 above albeit directed to a different statutory category (Apparatus medium). For this reason the same grounds of rejection are applied to claim 15. Regarding Claim 22, Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), The above cited combination of Zhang in view Zhang-8638 does not explicitly disclose: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address for each of the plurality of authentication servers Furthermore, Zhang-8638 teaches: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address for each of the plurality of authentication servers (Zhang-8638: [0042], Tracking_Tag (=indications of the plurality of authentication server): [ANQP Server FQDN/IP addr], [Mobile Device MAC addr], [Session ID], (1) in which “ANQP Server FQDN/IP addr” corresponds to the Fully Qualified Domain Name (FQDN) or Internet protocol (IP) address of the authentication server 306, “Mobile Device MAC addr” corresponds to the MAC address of the mobile device 302, and “Session ID” corresponds to a unique session identifier generated by the authentication server 306. It is noted that the string, Tracking_Tag (=indications of the plurality of authentication server), can alternatively include any other suitable information for identifying the authentication session performed between the mobile device 302 and the authentication server 306). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of identifying an authentication session information such as FQDN or IP address of the authentication server. The motivation is to tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks (Zhang-8638: [0028]). Regarding Claim 23, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), further comprising instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) maintain the associations between the MAC addresses associated with client devices and indications of the plurality of authentication servers (Zhang: [0037] In an aspect, the remote authentication device can include one or a combination of a remote server, a Remote Authentication Dial-in User Service (RADIUS) server, Terminal Access Controller Access-Control System (TACACS) server and a Lightweight Directory Access Protocol (LDAP) server. In another aspect, the authentication request can include a Media Access Control (MAC) address of the wireless client device. In yet another aspect, the remote authentication device can store therein, information associating the MAC address of the wireless client device with the current authentication status of the wireless client device. In another aspect, the cache can stored therein, information associating the MAC address of the wireless client device with the prior authentication result. In yet another aspect, the authentication request can include a network access identifier indicative of a device signature of the wireless client device), The above cited combination of Zhang in view Zhang-8638 does not explicitly disclose: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address of each of the plurality of authentication servers Furthermore, Zhang-8638 teaches: wherein the indications of the plurality of authentication servers comprise at least one of a domain name and an Internet Protocol (IP) address of each of the plurality of authentication servers (Zhang-8638: [0028], tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks [0051], such a Tracking_Tag string or text can contain information for identifying an authentication session performed between the mobile device 302 and the authentication server 306, such as the FQDN or IP address of the authentication server 306, the MAC address of the mobile device 302, and a unique session identifier generated by the authentication server 306.). It would be obvious to a person having ordinary skill in the art, before the effective filing date of the invention, to modify Zhang’s method of receiving authentication request from the user device to securely access the enterprise network by applying Zhang-8638’s method of identifying an authentication session information such as FQDN or IP address of the authentication server. The motivation is to tracking authentication sessions performed between Wireless Fidelity (Wi-Fi)-enabled devices and authentication servers via wireless access points within Wi-Fi networks (Zhang-8638: [0028]). Regarding Claim 24, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), wherein the first request comprises an association request (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) and wherein the instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device)determine the first network information associated with the first client device from the first request (Zhang: [0037], the authentication request (=first request = association request) can include a Media Access Control (MAC) address (=network information) of the wireless client device) comprise instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device) to determine the first network information from the association request (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device). Claim(s) 4 is rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”); and further in view of Montemurro et al (US 2017/0311142 A1) (hereinafter “Montemurro). Regarding Claim 4, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), The above cited combination of Zhang in view of Zhang-8638 does not explicitly disclose: wherein the wireless network is a hidden wireless network. However, in an analogous art, Montemurro teaches: wherein the wireless network is a hidden wireless network (Montemurro: [0037], provides for the scanning that can be performed by the wireless device 102 can include scanning for hidden networks. A hidden network is a wireless network that is set to not broadcast its name (or SSID). To perform discovery of a hidden network, the wireless device 102 broadcasts both the name of the wireless network that the wireless device is looking for, as well as the wireless device's name, and security credentials for the hidden network. If the hidden network is in range, then the wireless device 102 can associate with the hidden network). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). Claim(s) 5-6, 11-12, 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang”) and further in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”) and Montemurro et al (U. S. PGPub 2017/0311142 A1) (hereinafter “Montemurro”); and in further view of Windsor et al (U.S. PGPub. 2021/0099873 A1) (hereinafter “Windsor”). Regarding Claim 5, the Zhang in view of Zhang-8638 and Montemurro teaches: The method of claim 4 (see rejection of claim 4 above), The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not disclose: wherein determining the first network information comprises determining from the first request an SSID provided by the first device and the first MAC address associated with the first device. However, in an analogous art, Windsor teaches: wherein determining the first network information comprises determining from the first request an SSID provided by the first device and a MAC address associated with the first device (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Montemurro by applying the well-known technique as disclosed by Windsor of determining SSID and MAC address of the first device in order to improve wireless communication networks by providing additional wireless access points for load balancing purpose. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 6, the Zhang in view of Zhang-8638, Montemurro and Windsor teaches: The method of claim 5 (see rejection of claim 5 above), The above cited combination of Zhang in view of Zhang-8638, Montemurro and Windsor does not explicitly disclose: Wherein the associations further comprise SSIDs corresponding to each of the MAC address of the devices, Wherein performing a lookup with the SSID and the MAC address on associations between the indications of the plurality of authentication servers and pairs of MAC addresses and SSIDs. However, Windsor teaches: Wherein the associations further comprise SSIDs corresponding to each of the MAC address of the devices (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination (=pair)of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK.); performing a lookup with the SSID and the MAC address on associations between the indications of the plurality of authentication servers and pairs of MAC addresses and SSIDs (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination (=pair)of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK.); A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Montemurro by applying the well-known technique as disclosed by Windsor of performing lookup for authentication server and pair of SSIDs and MAC address in order to improve wireless communication networks by providing additional wireless access points for load balancing purpose. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 11, the Zhang in view of Zhang-8638 teaches: The non-transitory machine-readable media of claim 10 (see rejection of claim 10 above), The above cited combination of Zhang in view of Zhang-8638 does not explicitly disclose: wherein the wireless network is a hidden wireless network, and wherein the instructions to determine the first MAC address further comprise instructions to determine a first service set identifier (SSID) indicated in the first request. However, Montemurro teaches: wherein the wireless network is a hidden wireless network (Montemurro: [0037] In further examples, the scanning that can be performed by the wireless device 102 can include scanning for hidden networks. A hidden network is a wireless network that is set to not broadcast its name (or SSID). To perform discovery of a hidden network, the wireless device 102 broadcasts both the name of the wireless network that the wireless device is looking for, as well as the wireless device's name, and security credentials for the hidden network. If the hidden network is in range, then the wireless device 102 can associate with the hidden network), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not explicitly teaches: wherein the instructions to determine the first MAC address (Windsor: [0033], The authentication request includes a first message integrity code (MIC) of a client-specific pre-shared key, which was generated using a pair-wise master key (PMK) known to the client device and attributes including a media access control (MAC) address of the access point, a nonce value of the access point, a MAC address of the client device and a nonce value of the client device. In response to receipt of the authentication request, the authentication server validates the first MIC by receiving the attributes from the access point or the wireless LAN controller… The client-specific pre-shared key known to the authentication server can be extracted from a key database including various entries, where each entry includes any or a combination of a MAC address of a specific client device, a service set identifier (SSID) of the access point, a client-specific pre-shared key assigned by the authentication server to the specific client device and a PMK known to the authentication server. The authentication server validates the client-specific pre-shared key to be authentic when the first MIC matches with the second MIC.) further comprise instructions to determine a first service set identifier (SSID) indicated in the first request (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638, and Montemurro by applying the well-known technique as disclosed by Windsor of determining first MAC address and first SSID in order to validate client by an authentication server based on SSID and MAC address. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 12, the Zhang in view of Zhang-8638, Montemurro and Windsor teaches: The non-transitory machine-readable media of claim 11 (see rejection of claim 11 above), The above cited combination of the combination of Zhang in view of Zhang-8638, Montemurro and Windsor does not disclose: wherein the associations further comprise SSIDs corresponding to each of the MAC addresses of the clients, and wherein the instructions to perform the lookup comprise instructions to perform the lookup with the first MAC address and the first SSID on associations between pairs of the MAC addresses and the SSIDs of the clients and the authentication servers to which the clients are to authenticate for enterprise authentication. However, Windsor teaches: wherein the associations further comprise SSIDs corresponding to each of the MAC addresses of the clients (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK), and wherein the instructions to perform the lookup comprise instructions to perform the lookup with the first MAC address and the first SSID on associations between pairs of the MAC addresses and the SSIDs of the clients (Windsor: [0065]: According to an embodiment, each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK); and the authentication servers to which the clients are to authenticate for enterprise authentication (Windsor: [0047], In network architecture 200, an authentication server 206 can be used to authenticate various computing devices associated with a network 204 before providing them with access to a wireless network. Client devices 208-1, 208-2 . . . 208-N (which may be collectively referred to as client devices 208 and individually referred to as client device 208, hereinafter) within network 204 are representative of the various computing devices that might be authenticated by authentication server 206. [0060] FIG. 4 is a sequence diagram 400 illustrating interactions among a client device 402, an access point 404 and an authentication server 406 to authenticate the client device in accordance with an embodiment of the present invention). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638, and Montemurro by applying the well-known technique as disclosed by Windsor of authentication the client of an enterprise in order to get access in enterprise network. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 18, the Zhang in view of Zhang-8638 teaches: The access point of claim 15 (See the rejection of claim 15 above), and wherein the instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device), to determine the first network information (Zhang: [0037], the authentication request can include a Media Access Control (MAC) address (=network information) of the wireless client device. [0042], client device 102 can be expected to be authenticated by controller 106 to determine whether device 102 should be allowed access to the requested resource. Such authentication can be enabled by means of one or more remote authentication devices, such as LDAP server 108-1, remote server 108-2, or RADIUS server 108-3, which may be collectively and interchangeably referred as remote authentication device 108 hereinafter, which can be configured to authenticate one or more client devices 102 attempting to access a resource, wherein the remote authentication device 108 can be configured to provide and update current authentication status of each device by, maintaining the authentication status along with the MAC address (=network information) of one or more stored/registered/applicable client devices 102), comprise instructions executable by the processor (Zhang: [0068], A variety of these steps may be performed by hardware components or may be tangibly embodied on a computer-readable storage medium in the form of machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with instructions to perform these steps. Alternatively, the steps may be performed by a combination of hardware, software, and/or firmware) to cause the access point to (Zhang: [0016], A MAC-based authentication request (=first request = association request) is received by the wireless network controller from a wireless access point (AP) managed by the wireless network controller on behalf of a roaming wireless client device); The above cited combination of Zhang in view of Zhang-8638 does not disclose: wherein the access point makes available a hidden wireless network. However, Montemurro teaches: wherein the access point makes available a hidden wireless network (Montemurro: [Abstract], a wireless network includes a wireless local area network (WLAN), which has access points (APs) with which wireless devices are able to wirelessly connect to perform communications of data. [0007], A WLAN can include one or more access points (APs). An AP refers to a network node with which wireless devices are able to establish wireless connections such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP), A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Montemurro such as a hidden network as a wireless network in order to add an extra layer of network security by reducing its visibility. The motivation is to establish wireless connections, such that the wireless devices can communicate data with other endpoints coupled to a network that is connected to the AP (Montemurro: [0007]). The above cited combination of Zhang in view of Zhang-8638 and Montemurro does not explicitly disclose: wherein determine the first network information comprises determine from the first request a SSID provided by the first client device and the MAC address associated with the first client device However, Windsor teaches: wherein determine the first network information comprises determine from the first request a SSID provided by the first client device and the MAC address associated with the first client device (Windsor: [0065], each entry of database 500, which is maintained by the authentication server, can include any or a combination of a MAC address of a specific client device, an SSID of an access point, a client-specific PSK assigned by the authentication server to the specific client device, and a PMK. When a successful match is found, the MAC address of the client device can be bound to the PSK so that in future validation can be performed directly using the PSK). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Montemurro by applying the well-known technique as disclosed by Windsor of determining SSID and MAC address of the first device in order to improve wireless communication networks by providing additional wireless access points for load balancing purpose. The motivation is for authenticating client devices for access to wireless communication networks (Windsor: [0002]). Regarding Claim 19, this claim contains identical limitations found within that of claim 6 above albeit directed to a different statutory category (computer readable medium). For this reason, the same grounds of rejection are applied to claim 19. Claim(s) 9 and 20-21 are rejected under 35 U.S.C. 103 as being unpatentable over Zhang (U. S. PGPub. No. 2016/0087954 A1) (hereinafter “Zhang) in view of Zhang et al. (U. S. PGPub. No. 2017/0118638 A1) (hereinafter “Zhang-8638”) and in further view of Higuchi et al. (U. S. Pat. No. 10,003,968 B2) (hereinafter “Higuchi”) and SETHI et al (U. S. PGPub. No. 2017/0310655 A1) (hereinafter “Sethi”) Regarding Claim 9, the Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), determining second network information based on the second request (Zhang: [0065], At step 410, the network controller can receive a second authentication request from the client device through a second AP, wherein at step 412, the controller can locally/initially authenticate the client device based on the cached prior authentication result), wherein the second network information comprises a second MAC address (Zhang: [0055], FIG. 2B represents a state of cache/local storage 208 after a first successful authentication of client device 202 by remote server 210. In such a case, cache/local storage 208 can have an entry associated with client device 202 having MAC address (i.e., 00-14-22-01-23-25 in the present example) showing that it was successfully authenticated and the time and date associated with the authentication status. On receipt of every new update from remote server 210, the authentication status and timestamp can be updated in cache/local storage 208. [0065], At step 420, the current authentication status can also be used to update the current entry in the cache of the controller so as to contain the most recent authentication status for the client device (=updated entry can include second MAC address); forwarding authentication messages subsequently transmitted by the second device to the second authentication server (Zhang: [0065], At step 410, the network controller can receive a second authentication request from the client device through a second AP, wherein at step 412, the controller can locally/initially authenticate the client device based on the cached prior authentication result and then at 414, the controller forwards the second authentication request to the remote server) Zhang in view of Zhang-8638 does not explicitly disclose: based on performing a second look up with the second network information on the associations (Higuchi: [Col 7, lines 24-33], The unit 250 searches (=look up) the authentication server group list table 500 on the basis of the reception port information of the registered MAC) determining if a result of the second lookup indicates one of the plurality of authentication servers (Higuchi: [Col 5, lines 63-67 – Col 6, lines 1-2), provides for Each of the authentication processing units (a 802.1X authentication processing unit 210, a Web authentication processing unit 220, a MAC authentication processing unit 230) searches for the relevant authentication server from an authentication server group list table on the basis of the reception port information and executes an authenticating process to the relevant authentication server. [Col 7, lines 24-33], The unit 250 searches the authentication server group list table 500 on the basis of the reception port information of the registered MAC); and based on determining that the result of the second lookup indicates a second of the plurality of authentication servers (Higuchi: [Col 5, lines 63-67-Col 6, lines 1-2], provides for each of the authentication processing units (a 802.1X authentication processing unit 210, a Web authentication processing unit 220, a MAC authentication processing unit 230) searches for the relevant authentication server from an authentication server group list table on the basis of the reception port information and executes an authenticating process to the relevant authentication server.), wherein the second authentication server is different from the first authentication server (Higuchi: [Col 6, lines 45-48], provides for extracting the relevant authentication server information “server 1, server 2” from the authentication server group list table 500 shown in FIG. 5. [Col 10, lines 31-32], (65) In the case where the enterprises which have the different authentication servers), and wherein the first and second authentication servers correspond to different ones of the plurality of enterprises (Higuchi: [Col 6, lines 45-48], provides for extracting the relevant authentication server information “server 1, server 2” from the authentication server group list table 500 shown in FIG. 5. [Col 10, lines 31-32], (65) In the case where the enterprises which have the different authentication servers). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Higuchi’s method of searching for relevant authentication server associated with MAC address, in order to manage a process that allows delegating authentication access for a network, application, or system to an authentication server to better load balance the system and also to provide a tiered approach to authentication that permits scalability. The Zhang in view of Zhang-8638 and Higuchi does not explicitly disclose: detecting a second request transmitted by a second device that is different from the first device determining second network information based on the second request However, in an analogous art, Sethi teaches: detecting a second request transmitted by a second device that is different from the first device (Sethi: [0067] There may be different ways of establishing the second secure connection. For example, the access point 20 may be configured to in an optional step S108a establish the second secure connection by receiving an access request from the client device 40) determining second network information based on the second request (Sethi: [0067], The access point 20 may then be configured to in an optional step S108b forward the access request to the network gateway 30. Additionally or alternatively the access point 20 may be configured to in an optional step S108c establish the second secure connection by facilitating establishment of an Extensible Authentication Protocol (EAP) access authentication between the client device 40 and the network gateway 30) A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 and Higuchi by applying the well-known technique as disclosed by Sethi of forwarding the access request to the network gateway in order to establish the second secure connection. The motivation is to exchange sensitive information with the cloud computing information technology infrastructure the connection between the client device and the gateway network should be secure (Sethi:[0005]). Regarding Claim 20 this claim contains identical limitations found within that of claim 9 above albeit directed to a different statutory category (computer readable storage medium). For this reason, the same grounds of rejection are applied to claim 20. Regarding Claim 21, Zhang in view of Zhang-8638 teaches: The method of claim 1 (see rejection of claim 1 above), wherein the indications of a plurality of authentication servers comprise indications of a plurality of Remote Authentication Dial-In User Service (RADIUS) servers (Higuchi: [Col 2, lines 9-15], (9) Hitherto, as a method of designating a plurality of RADIUS servers and operating, a method whereby the redundant RADIUS servers are realized by allowing a plurality of RADIUS servers to have the same authentication data or a method whereby the different RADIUS server is designated in the case of using the MAC authentication and in the case of using the Web authentication existed). A person having ordinary skill in the art, before the effective filing date of the invention, would have found it obvious to modify Zhang in view of Zhang-8638 by applying the well-known technique as disclosed by Higuchi’s method of searching for relevant authentication server associated with MAC address, in order to manage a process that allows delegating authentication access for a network, application, or system to an authentication server to better load balance the system and also to provide a tiered approach to authentication that permits scalability. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Refer to PTO-892, Notice of References Cited for a listing of analogous art. U. S. Pat. No. 8,860,777 B2 (Hendrickson et al.): A system is configured to receive a request to set up a first video conference and another request to set up a second video conference, where the request is received from a client device and where the other request is received from another client device; obtain first information associated with an enterprise with which the client device is associated and second information associated with another, different enterprise with which the other client device is associated; determine whether the first information permits the client device to set up the first video conference and whether the second information permits the other client device to set up the second video conference; establish the first video conference when the first information permits the client device to set up the first video conference; and establish the second video conference when the second information permits the other client device to set up the second video conference. U. S. PGPub. No. 2014/0059650 A1 (Bhayankara et al.): Methods, systems, and computer readable media for dynamically routing authentication requests are described. An embodiment can include receiving, at one or more computing devices, a network authentication request. An embodiment can also include creating, at the one or more computing devices, an authentication context based on information in the authentication request. An embodiment can also include dynamically routing, using the one or more computing devices, the authentication request to an authentication serve. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to RUPALI DHAKAD whose telephone number is (571)270-3743. The examiner can normally be reached M-F 8:30-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Alexander Lagor can be reached at 5712705143. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /R.D./Examiner, Art Unit 2437 /ALEXANDER LAGOR/Supervisory Patent Examiner, Art Unit 2437