ONBOARDING A DEVICE IN A MULTI-TENANT VIRTUAL NETWORK OF AN INDUSTRIAL NETWORK

§103 §112

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Amendment This office action is in response to applicant’s amendment filed, 27 October 2025, of application filed, with the above serial number, on 24 August 2022 in which claims 1, 4, 8 have been amended, claims 9-10, 17 have been cancelled, and claim 18 added. Claims 1, 3-8, 11-16, 18 are pending in the application. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 17 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. The new claims adds that the industrial network is ‘a computer that includes the multi-tenant virtual network, the onboarding network, the access network, the authentication module, and the access point.’ However, the drawings and description, if the computer is industrial network node 11 as assumed, access network 50 and access point 60 are not computer 11, and the specification at best recites in par. 12 ‘example of an industrial network node is a specific device, such as an industrial PC or a rugged computer, on which the multi-tenant virtual network is configured’ and also having the onboarding ‘network’ 30 and authentication module 40. Thus, it is indefinite how a computer includes all of the components of claim 17. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 3-6, 11-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rooney et al (hereinafter “Rooney”, 2020/0403875) in view of Choukir et al (hereinafter “Choukir”, 2021/0092021). As per Claim 1, Rooney discloses a method for onboarding a device in a multi-tenant virtual network of an industrial network, the method comprising: deploying the onboarding network on a computer of the industrial network, wherein the deploying comprises: generating the onboarding network and an authentication module on the computer of the industrial network; connecting the onboarding network to the authentication module on the computer; extending the onboarding network to an access point of the industrial network, wherein the access point is an electronic device positioned between the onboarding network and the device to be onboarded to the multi-tenant virtual network of the industrial network (at least paragraph 28; the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190); generating an access network; and connecting the access network to the onboarding network via the access point (at least paragraph 28-33; establish an onboarding network 190. For example, the back end server 110 configures the Wi-Fi Router 160 with configuration commands via a RESTful protocol to add the onboarding network SSID from the onboarding network credential 126 so the repeater device 120 can connect to the onboarding network 190. For example, the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190); receiving an onboarding request from the device regarding access to the multi-tenant virtual network of the industrial network, wherein the multi-tenant virtual network is provided on the computer, wherein the onboarding request is received in the access network of the industrial network assigned to the onboarding network of the computer of the industrial network (at least Fig. 1C; paragraph 24-31; step 126); identifying and verifying the device using the authentication module of the computer of the industrial network (at least Fig. 1C; paragraph 24-31; step 128; the Wi-Fi router 160 uses the received onboarding network credential 126 to establish an onboarding network 190. For example, the back end server 110 configures the Wi-Fi Router 160 with configuration commands via a RESTful protocol to add the onboarding network SSID from the onboarding network credential 126 so the repeater device 120 can connect to the onboarding network 190. For example, the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190); sending a configuration file to the device when a verification result is positive, wherein the configuration file comprises data regarding an access authorization of the device to the multi-tenant virtual network of the computer (at least paragraph 28, 31; Besides the Wi-Fi network provisioning credential 128, the repeater device 120 may receive other configuration parameters via the onboarding network 190 and/or the Wi-Fi network 180); configuring the device according to the configuration file (at least paragraph 28, 31; Besides the Wi-Fi network provisioning credential 128, the repeater device 120 may receive other configuration parameters via the onboarding network 190 and/or the Wi-Fi network 180); verifying the access authorization of the device in the access point of the industrial network (at least paragraph 28-33; When the repeater device 120 detects that it can talk to the back end server 110 via the onboarding network 190 the repeater device 120 can be fully managed by the back end server 110. The back end server 110 sends the new configuration for the repeater device 120 which includes the network credential 128 and as when the repeater device 120 receives that configuration it applies it and restarts its network so it immediately leaves the onboarding network 190 and joins the Wi-Fi network 180.); and granting the device access to the multi-tenant virtual network of the computer when the verification result is positive (at least paragraph 33; When the repeater device 120 detects that it can talk to the back end server 110 via the onboarding network 190 the repeater device 120 can be fully managed by the back end server 110. The back end server 110 sends the new configuration for the repeater device 120 which includes the network credential 128 and as when the repeater device 120 receives that configuration it applies it and restarts its network so it immediately leaves the onboarding network 190 and joins the Wi-Fi network 180.). Rooney fails to explicitly disclose wherein the access network is open to any device for requesting access to the multi-tenant virtual network where the device does not require any password to access the access network to carry out the onboarding request. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Choukir. Choukir discloses, in an analogous onboarding art, any device including wireless client 120 may send an onboarding request to an AP to access a network, the client is mapped to connect to onboarding VNID network 105A in order to then authenticate the client in order to have the client be connected to the virtual network 105 they are attempting to connect to, once they are authenticated a destination VNID network is determined (at least paragraph 19-21, 67-72). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Choukir’s onboarding with Rooney as Choukir teaches this allows the device to freely connect up to authentication resources and connections only, and not the actual networks in order to then authenticate the device to actually be onboarded, thus enhancing the security of the network as is well known in onboarding, as well as addressing other shortcomings Choukir identifies in par. 12-16. As per Claim 3. The method of claim 1, wherein the access network is only made available to receive onboarding requests for a limited period of time (at least paragraph 27; onboarding network password for a (temporary) onboarding network 190). As per Claim 4, Rooney discloses an industrial network comprising: a computer comprising: a multi-tenant virtual network (at least paragraph 30-31l WiFi network); an onboarding network (at least paragraph 27, onboarding network); and an authentication module configured to identify and verify a device to be onboarded to the multi-tenant virtual network (at least paragraph 27; onboarding network credential 126, onboarding network SSID, and onboarding network password of router); an access network assigned to the onboarding network of the computer, wherein the access network is configured to receive an onboarding request from the device regarding access to the multi-tenant virtual network of the computer; and an access point to which the onboarding network of the computer extends, wherein the access point is an electronic device positioned between the onboarding network of the computer and the device configured to be onboarded to the multi-tenant virtual network of the computer (at least paragraph 28; the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190); wherein the access point is configured to verify an access authorization of the device and grant the device access to the multi-tenant virtual network when a verification result is positive (at least paragraph 28-33; establish an onboarding network 190. For example, the back end server 110 configures the Wi-Fi Router 160 with configuration commands via a RESTful protocol to add the onboarding network SSID from the onboarding network credential 126 so the repeater device 120 can connect to the onboarding network 190. For example, the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190), wherein the onboarding network of the computer is configured to be deployed in the industrial network by generating the onboarding network and the authentication module, connecting the onboarding network to the authentication module, extending the onboarding network to the access point of the industrial network, generating the access network, and connecting the access network to the onboarding network via the access point (at least paragraph 28-33; establish an onboarding network 190. For example, the back end server 110 configures the Wi-Fi Router 160 with configuration commands via a RESTful protocol to add the onboarding network SSID from the onboarding network credential 126 so the repeater device 120 can connect to the onboarding network 190. For example, the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190); wherein a configuration file comprises data regarding the access authorization of the device to the multi-tenant virtual network, and wherein the device is configured according to the configuration file (at least Fig. 1C; paragraph 24-33, 47; step 128; the Wi-Fi router 160 uses the received onboarding network credential 126 to establish an onboarding network 190. For example, the back end server 110 configures the Wi-Fi Router 160 with configuration commands via a RESTful protocol to add the onboarding network SSID from the onboarding network credential 126 so the repeater device 120 can connect to the onboarding network 190. For example, the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190; Besides the Wi-Fi network provisioning credential 128, the repeater device 120 may receive other configuration parameters via the onboarding network 190 and/or the Wi-Fi network 180; When the repeater device 120 detects that it can talk to the back end server 110 via the onboarding network 190 the repeater device 120 can be fully managed by the back end server 110. The back end server 110 sends the new configuration for the repeater device 120 which includes the network credential 128 and as when the repeater device 120 receives that configuration it applies it and restarts its network so it immediately leaves the onboarding network 190 and joins the Wi-Fi network 180; only the serial number or MAC address of repeater device being used by mobile app 135; unique ID is associated with a temporary network credential; mobile app 135 sends the ID (via scanning or inputting serial number/MAC) to the backend server which allows repeater device to log into onboarding network using only the ID)). Rooney fails to explicitly disclose wherein the access network is open to any device for requesting access to the multi-tenant virtual network where the device does not require any password to access the access network to carry out the onboarding request. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Choukir. Choukir discloses, in an analogous onboarding art, any device including wireless client 120 may send an onboarding request to an AP to access a network, the client is mapped to connect to onboarding VNID network 105A in order to then authenticate the client in order to have the client be connected to the virtual network 105 they are attempting to connect to, once they are authenticated a destination VNID network is determined (at least paragraph 19-21, 67-72). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Choukir’s onboarding with Rooney as Choukir teaches this allows the device to freely connect up to authentication resources and connections only, and not the actual networks in order to then authenticate the device to actually be onboarded, thus enhancing the security of the network as is well known in onboarding, as well as addressing other shortcomings Choukir identifies in par. 12-16. As per Claim 5. The industrial network of claim 4, wherein the industrial network comprises at least one additional multi-tenant virtual network (at least Fig. 1c; par. 27, 32; temporary onboarding network 190 and after done disabling and reactivating). As per Claim 6. The industrial network of claim 5, wherein the onboarding network is configured to act as a common onboarding network for onboarding devices to the multi-tenant virtual network and to the additional multi-tenant virtual network (at least paragraph 27). As per Claim 11. The industrial network of claim 4, wherein the industrial network comprises at least one additional access point, and wherein the onboarding network extends to the access point and the at least one additional access point (at least Fig. 1a). As per Claim 12. The industrial network of claim 11, wherein the access point and the at least one additional access point are spatially separated (at least Fig. 1a). As per Claim 13. The industrial network of claim 11, wherein the access point and the at least one additional access point are configured for different access technologies (at least Rooney paragraph 2; eg. Bluetooth and wifi). As per Claim 14. The method of claim 1, wherein a communication interface of the device is configured according to the configuration file (at least paragraph 26; repeater device 120 is configured to communicate with the Wi-Fi network 180). As per Claim 15. The method of claim 1, wherein the authentication module is connected to a database, and wherein the database comprises information used in the identifying and the verifying of the device making the onboarding request (at least paragraph 35, Fig. 1a; manufacturer of the repeater device 120 maps the unique identifier 124 to a unique onboarding network credential 126, and adds a mapping of the unique identifier 124 and onboarding network credential 126 to a lookup table of mappings, for example, a database accessible to the back end server 110; database and back end server on WAN). As per Claim 16. The industrial network of claim 4, further comprising: a database connected to the authentication module, wherein the database comprises information used in the identification and the verification of the device making the onboarding request (at least paragraph 35, Fig. 1a; manufacturer of the repeater device 120 maps the unique identifier 124 to a unique onboarding network credential 126, and adds a mapping of the unique identifier 124 and onboarding network credential 126 to a lookup table of mappings, for example, a database accessible to the back end server 110; database and back end server on WAN). As per Claim 18. The industrial network of claim 4, wherein the computer of the industrial network further comprises a physical interface that is connected to the access point of the industrial network (at least Fig. 1C; Wifi Router 160 connected to First repeater 140). Claim(s) 7-8 is/are rejected under 35 U.S.C. 103 as being unpatentable over Rooney in view of Choukir, further in view of Schatzmann et al (hereinafter “Schatzmann”, 2015/0373001). As per Claim 7. Rooney/ Choukir fail to explicitly disclose wherein the industrial network comprises at least one additional onboarding network, wherein the onboarding network is configured to onboard devices to the multi-tenant virtual network, and wherein the additional onboarding network is configured to onboard devices to the additional multi-tenant virtual network. However, the use and advantages for using such a system was well known to one skilled in the art before the effective filing date of the claimed invention as evidenced by the teachings of Schatzmann. Schatzmann discloses, in an analogous art, an onboarding controller having a plurality of onboarding networks each belonging to a different network management system (at least Schatzmann paragraph 28-32). Therefore, it would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to incorporate the use of Schatzmann’s onboarding controller with Rooney/ Choukir as Schatzmann teaches such ensures that network equipment of a particular customer is onboarded to the correct system for that customer's network and would allow Rooney’s system to have multiple SSID’s to onboard devices for different customers. As per Claim 8. The industrial network of claim 7, wherein the industrial network comprises at least one additional authentication module configured to identify and verify a device that has made an onboarding request regarding access to the additional multi-tenant virtual network (at least Schatzmann paragraph 28-32; each new network equipment is added to a particular LANaaS system 2, 2′ be authorized to access that system/service). Response to Arguments Applicant's arguments filed 27 October 2025 have been fully considered but they are not persuasive. Applicant argues on p. 10 that Rooney’s onboarding network 190 is not equivalent to the onboarding network claimed as there is no physical electronic device/access point 60 positioned between the device ad the onboarding network. However Rooney discloses in par. 28 that the onboarding network 190 can connect via other devices or access points: “the repeater device 120 can connect to the onboarding network 190 and the router 160 via the first repeater 140 which acts as a virtual access point (VAP) for the onboarding network 190” (emphasis added). See also specification par. 20 that outlines the access point can be virtual. In other words, as is well known in the art, access points are simply typically wireless connection points to extend a network of a central gateway or router (that may also be wireless/ WiFi), and thus Rooney explicitly discloses that the router 160 creates such a temporary onboarding network but that the access points using the router would allow the new device to be positioned in the new location which may use access points or repeaters to connect to that onboarding network. This would allow the onboarding network to not simply be in small radius of the wi-fi router but, for example in a large environment needing repeaters as Rooney is oriented to, would allow devices in a much larger area of combined radii of the wifi router and repeater/mesh nodes to be onboarded. It is important to note the terms as claimed and described in the specification, and their interpretation in comparison to the prior art. With respect to exemplary claim 1, a single onboarding network is deployed, such deployment including generating both the onboarding network and an access network. Claim 1 recites four networks, an industrial network, a multi-tenant virtual network and the aforementioned onboarding and access networks. As Fig. 1 shows, industrial network may be likened to 10 as to include all the other networks, while node 11 contains ‘onboarding network 30’ and multi tenant network 20, thus these ‘networks’ are not networks in the typical sense in the art of connecting multiple devices but rather are merely acting as modules from interface 111 for authentication purposes via 40 and to run application 201, respectively. Whereas the new device to be onboarded is connecting to access point 60 via access network 50 and thus the more typical well known Wi-Fi type network. Thus, the Examiner is interpreting the claimed access network as a WiFi network the device to be onboarded is connecting and accessing the industrial network with, and the claimed onboarding ‘network’ as an onboarding authentication system (onboarding network and authentication module generated as claimed). Pages 3-6 of the specification supports this interpretation as the definitions include ‘onboarding’ (notably, not ‘onboarding network’), described as being a process, while ‘access network’ is defined as that in which onboarding requests are accepted. While p. 6 does describe that ‘onboarding network’ has the ‘function of supporting or enabling the onboarding of a device’. And further as the figures show the onboarding network as being a rectangular box 30, while access network 50 is an oval. And as node 11 contains onboarding network 30 only connecting from interface 111 to authentication module 40. Applicant also argues on p. 11 that Rooney not disclose the onboarding network, multi-tenant virtual network and authentication module ‘positioned’ on a ‘single’ computer or computing device. However, it is not entirely clear how the components including the onboarding network are ‘positioned’ on a single device, as the device to be onboarding is using the network, the specification lacks specifics for such positioning. Further the claims do not require the network to be only on a single computing device, the ’network’ or networks are ‘of’ the device, not clearly only being on that device, whatever that might mean. However, Rooney discloses in par. 27-28 that the WiFi Router 160, a ‘computer’, has positioned and provided thereon the onboarding network that is configured for authentication by the device 120 with the network credentials and password, thus the WiFi router computer has an authentication module to authenticate the credentials and determine if the repeater device 120 is allowed to be onboarded, and if so, is onboarded onto the onboarding network positioned on that computer. Thus, clearly Rooney discloses the onboarding network and authentication module being on that computer, so the other component, the "multi-tenant virtual network" is determined. The specification par. 11 defines such network as “a data and communication network that is available exclusively for a specific mandate and may connect distributed work areas of the client to each other.” Rooney clearly teaches that once the repeater device is onboarded that it then connects up to such multi-tenant virtual WiFi network 180 in par. 30-31, with such WiFi having a mandate of being a WiFi mesh network with mesh nodes being added to connect distributed work areas of the mesh environment (see par. 2-5, 18-19). See also secondary reference Choukir par. 38-41, 19 and Fig. 1-2, where a device connects to an onboarding VNID of an access network 105, which connects to WLC 115 having authenticator 118 to verify credentials provided by the device. It is further noted the response has not responded with arguments to the 103 Rejection in view of Schatzmann. See MPEP 37 CFR 1.111(b): (b) In order to be entitled to reconsideration or further examination, the applicant or patent owner must reply to the Office action. The reply by the applicant or patent owner must be reduced to a writing which distinctly and specifically points out the supposed errors in the examiner’s action and must reply to every ground of objection and rejection in the prior Office action. The reply must present arguments pointing out the specific distinctions believed to render the claims, including any newly presented claims, patentable over any applied references. If the reply is with respect to an application, a request may be made that objections or requirements as to form not necessary to further consideration of the claims be held in abeyance until allowable subject matter is indicated. The applicant’s or patent owner’s reply must appear throughout to be a bona fide attempt to advance the application or the reexamination proceeding to final action. A general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references does not comply with the requirements of this section. (Emphasis added) Schatzmann discloses in par. 17-18 drawbacks of prior systems where logging into and authenticating network equipment is undesirable for onboarding, or dumb devices not equipped with hardware or software for onboarding. Schatzmann provides an onboarding solution (par. 28-32) so that the devices only issue a registration request and an invitation is sent back, to these problems and thus is also applicable to claims 1, 4. Conclusion THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY TODD whose telephone number is (303)297-4763. The examiner can normally be reached 8:30-5 MST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on 571-272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /GREGORY TODD/Primary Examiner, Art Unit 2443