WIRELESS CLIENT GROUP ISOLATION WITHIN A NETWORK

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments, see pages 1-5, filed on October 29, 2025, with respect to the rejections of claim(s) 1-8 under 35 U.S.C. 103 as being unpatentable over VIGER et al. (US 20210204324 A1—hereinafter—VIGER) in view of Campiglio et al. (US 20220225097 A1—hereinafter – Campiglio) and the rejections of claims 9-20 under 35 U.S.C. 103 as being unpatentable over Campiglio et al. (US 20220225097 A1—hereinafter – Campiglio)in view of VIGER et al. (US 20210204324 A1—hereinafter—VIGER) have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Ficara et al. (US 20210360400 –hereinafter – “Ficara”) in view of Mohammed et al (US 20220272089 –hereinafter—"Mohammed”). Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ficara et al. (US 20210360400 –hereinafter – “Ficara”) in view of Mohammed et al (US 20220272089 –hereinafter—"Mohammed”). As per claim 1: Ficara discloses a method of providing group- to-group isolation, the method comprising: storing, by a network device, a first Media Access Control (MAC) address of a first host device that authenticates for network access using a first key ([0035] APs are separated into logical groups in pre-shared key management logic 150 as per phase 1. Then, each subgroup of APs is specifically logically associated with one or more PSKs (in the pre-shared key management logic 150). For example, a single PSK may be associated to APs in a particular house/apartment. In a common area accessible to all tenants, all PSKs may be associated as shown in FIG. 7, which illustrates a PSK to zone mapping by group, according to an example embodiment. As the pre-shared key management logic 150 is used to associate which tenant/unit has access to which common area, the associated PSK is added to the AP group for that common area. FIG. 8 illustrates how a different PSK, e.g., PSK.sub.n and PSK.sub.n+1 are set as defaults for each unit (e.g., apartment) access point (AP) advertising the same service set identifier (SSID), according to an example embodiment. [0036] APs deployed in a non-shared space (e.g., a particular unit) can be configured to service only a small subset of users (and a single tenant contract), and therefore the PSK search space is reduced to 1 (with WPA3, or a few PSKs, if the local policy allows more than one WPA2 PSK per unit). [0037] Then, a seed-from-home method is instantiated. With this method, tenants are requested to establish the first connection from their home, apartment, or unit. As the connection AP is known, this method allows the search space to be reduced to a small set of keys. Then, once the STA authentication completes, the STA MAC address is mapped with the associated PSK); wherein the first MAC address is stored as part of a first list of MAC addresses in a first device group ([0038] Radio resource management (RRM) is used for APs to detect their neighbors. As the first on-boarding takes place, the PSK(s) matching the associating AP are attempted first. If the search fails, the neighboring APs search space is attempted, with the assumption that a neighbor's AP may provide a better signal (and the same SSID) as the local unit AP, if the user connects from some edge areas of the unit. Once the search succeeds, the device may be mapped to the correct unit. That is, pre-shared key management logic 150 may be configured to update the MAC address to PSK mapping after a given tenant first joins the system ---which means the MAC address to PSK database mapping or lookup list is updated); identifying devices authenticated using the first key ([0037] Tenants are requested to establish the first connection from their home, apartment, or unit. As the connection AP is known, this method allows the search space to be reduced to a small set of keys. Then, once the STA authentication completes, the STA MAC address is mapped with the associated PSK. [0039] Subsequently, in common areas, pre-shared key management logic 150 performs a lookup to verify the existence of the MAC address in a MAC address to PSK mapping database of pre-shared key management logic 150. Authentication fails if the MAC address is not known); storing, by the network device, a second MAC address of a second host device that authenticates for network access using a second key ([0027] A solution is presented herein with negligible onboarding overhead or possibly none at all, that can support many (e.g., up to 1024) different PSKs in the same WLAN. This solution, referred to herein as “EasyPSK,” allows PSK-based on boarding for multi-tenants, and is enabled by pre-shared key management logic that may be incorporated into WLC 220. [0028] FIG. 3 illustrates a unit to zone mapping in a network controller. A pre-shared key management logic 150, which may be hosted/executed on/by a management tool such as a network controller (e.g., Cisco's Digital Network Architecture (DNAC)), assigns zones (e.g., A1-A7, B1-B8, C1-CA, D1-DD, E1-E3, F1-F7, G1-GB, L1-LA, Common 1, Common 2, Common 3, Common 4, Common 5, Common 6) to a map 300. As indicated, the zones can be common areas or individual dwellings---multiple zone mapping constitute a plurality of groups); wherein the second MAC address is stored as part of a second list of MAC addresses in a second device group identifying devices authenticated using the second key ([0029] Using an Application Programming Interface (API) (or pre-shared key management logic 150 itself), a landlord company associates, in a database, each zone to one or more access points (APs). [0035] It is noted that this embodiment does not rely on specific STA, AP or infrastructure support. Rather, in this embodiment, APs are separated into logical groups in pre-shared key management logic 150 as per phase 1. Then, each subgroup of APs is specifically logically associated with one or more PSKs (in the pre-shared key management logic 150). For example, a single PSK may be associated to APs in a particular house/apartment. In a common area accessible to all tenants, all PSKs may be associated as shown in FIG. 7, which illustrates a PSK to zone mapping by group, according to an example embodiment. As the pre-shared key management logic 150 is used to associate which tenant/unit has access to which common area, the associated PSK is added to the AP group for that common area. FIG. 8 illustrates how a different PSK, e.g., PSK.sub.n and PSK.sub.n+1 are set as defaults for each unit (e.g., apartment) access point (AP) advertising the same service set identifier (SSID), according to an example embodiment). Ficara does not explicitly disclose receiving, at the network device, a frame having a source MAC address and a destination MAC address; and dropping, at the network device, the frame based at least in part on: comparing the source MAC address of the frame with the first list of MAC addresses in the first device group to determine that the source MAC address is in the first device group, and comparing the destination MAC address of the frame with the second list of MAC addresses in the second device group to determine that the destination MAC address is in the second device group. Mohammed, in analogous art however, discloses receiving, at the network device, a frame having a source MAC address and a destination MAC address; and dropping, at the network device, the frame based at least in part on: ([0185] The network forwarding is based at least in part on the mapped MAC address of end device 620-1, access point 618-1 may replace the MAC address of end device 620-1 inside the ARP response payload with its mapped MAC address. Therefore, end device 620-3 now has the mapped MAC address of end device 620-1. Once the ARP exchange is completed, end device 620-3 may send its message in a frame having its own MAC address as the source MAC address and the mapped MAC address for end device 620-1 as the destination MAC address. End device 620-3 sending the frame and the network know the destination device by its mapped MAC address, not its native MAC address. Therefore, when the frame arrives at access point 618-1, access point 618-1 may know end device 620-1 is a member of group identifier 1, and may replace the destination MAC address in the frame with the native MAC address of end device 620-1. Otherwise, end device 620-1 would filter the frame); comparing the source MAC address of the frame with the first list of MAC addresses in the first device group to determine that the source MAC address is in the first device group ([0244] Suppose that a first end device has a frame to send to a second end device. The access point may receive the frame, may map the source MAC address of the frame as described previously and, by inspecting the destination MAC address in the frame, may determine that the frame is destined to the second end device. Because the access point knows (from DPSK authentication) that end device is a member of group identifier 1, and because the mapped source MAC address has a matching group identifier, the access point may forward the frame to the second end device. However, if the group identifier in the mapped MAC address did not match the group identifier of the destination device, the access point would filter (or drop) the frame); comparing the destination MAC address of the frame with the second list of MAC addresses in the second device group to determine that the destination MAC address is in the second device group ([0243] As shown in Table 1, the mapped MAC address may include a MAC organizationally unique identifier, the group identifier and the device identifier. Note that the MAC organizationally unique identifier has a range of 2.sup.24 MAC addresses. In order to assure there is no conflict with any other MAC addresses present on the network in a hotel, a new MAC organizationally unique identifier may be obtained (e.g., from the IEEE) and used for MAC-mapping purposes. In this example, two bytes have been reserved for the group identifier (accommodating up to 6,5535 rooms in a hotel) and 1 byte has been reserved for the device identifier (accommodating 256 end devices per guest). However, other mapped MAC address formats are possible. In some embodiments, if the MAC organizationally unique identifier is f0:b0:52, the first end device is assigned to room 1 (group identifier 1) and the device identifier is 9, its mapped MAC address may be fD:b0:52:00:01:09. [0183] In order to further illustrate operation of a guest's PAN, end device 620-3, which belongs to the guest assigned to location 622-2, may connect to or associate with access point 618-2. As a result of the DPSK authentication, access point 618-2 may be informed that end device 620-3 is in group identifier 1, which is the group assigned to the guest staying in location 622-1. End device 620-3 may have a frame to send to end device 620-1. Access point 618-2 may receive the frame, map the source MAC address of the frame and, by inspection of the destination MAC address, determine the frame is destined to an end device other than the ones which are wirelessly associated with access point 618-2) Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the network device disclosed by Ficara to include receiving a frame having a source MAC address and a destination MAC address; and dropping the frame based at least in part on: comparing the source MAC address of the frame with the first list of MAC addresses in the first device group to determine that the source MAC address is in the first device group and comparing the destination MAC address of the frame with the second list of MAC addresses in the second device group to determine that the destination MAC address is in the second device group. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by a compelling desire to provide techniques for authenticating one or more devices to a dynamic personal area network (PAN) in a network based on a passphrase or certificate-based authentication and a policy associated with the network, such as a policy that is based at least in part on a condition as suggested by Mohammed ([0007-00008]). As per claim 2: Ficara in view of Mohammed discloses the method of claim 1, wherein the first and second host devices are in a same virtual local area network domain (Mohammed [0136] The network may include a virtual network associated with the location (such as a virtual network for a PAN), and the information in the access acceptance message may allow the second electronic device to establish secure communication with the virtual network. This secure communication may be independent of traffic associated with other users of the network. For example, the computer network device may bridge traffic between the second electronic device and a group of electronic devices in the virtual network in the network, where the traffic in the virtual network is independent of other traffic associated with one or more different virtual networks in the network. Note that the virtual network may include: a VLAN or a VXLAN. Mohammed [0137] Furthermore, the virtual network may be specified by an identifier that is included in the access acceptance message. For example, the identifier may include a VLANID or a VNI. Alternatively or additionally, the virtual network may include: QinQ, mobility tunnels (e.g., using Home Hub and group identifiers) and/or a MAC address mapping procedure. Moreover, the identifier may include information that is capable of specifying more than 4,096 virtual networks). As per claim 3: Ficara in view of Mohammed discloses the method of claim 1, wherein the first key is unique to a first user and wherein the second key is unique to a second user (Ficara [0059] FIG. 12A is a flowchart depicting a series of operations that may be executed by pre-shared key management logic 150 according to an example embodiment. At 1210, a client or STA joins an “Easy PSK” SSID, i.e., a SSID protected by a PSK managed in accordance with the embodiments described herein, using, e.g., EAPOL M1 and M2 message exchanges. At 1212, a WLC or pre-shared key management logic 150 (or some combination thereof) determines if the MAC address of the STA is known. If yes, at 1214, the PSK that is bound to the MAC address is used for communicating with the STA. That association may be gleaned from the WLC, pre-shared key management logic 150, radius (AAA) server, etc. as described herein. At 1216, the STA finishes with EAPOL M3 and M4 message exchange, and at 1218 the STA or client joins the WLAN. Ficara [0061] If there is a match between the MAC address of the STA and a PSK, then at 1226 pre-shared key management logic 150 may publish that binding to a radius (AAA) server, WLC or other node that may make use of such binding to maintain or establish a desired policy. Operations 1216 and 1218 are then execute to enable the STA (client) to join the WLAN). As per claim 4: Ficara in view of Mohammed discloses the method of claim 3, wherein the network device comprises a wireless access point, wherein the first key comprises a first Pre-Shared Key (PSK) for authenticating a first wireless connection to a wireless network portion identifiable by a service set identifier, and wherein the second key comprises a second PSK for authenticating a second wireless connection to the wireless network portion (Ficara [0059] FIG. 12A is a flowchart depicting a series of operations that may be executed by pre-shared key management logic 150 according to an example embodiment. At 1210, a client or STA joins an “Easy PSK” SSID, i.e., a SSID protected by a PSK managed in accordance with the embodiments described herein, using, e.g., EAPOL M1 and M2 message exchanges. At 1212, a WLC or pre-shared key management logic 150 (or some combination thereof) determines if the MAC address of the STA is known. If yes, at 1214, the PSK that is bound to the MAC address is used for communicating with the STA. That association may be gleaned from the WLC, pre-shared key management logic 150, radius (AAA) server, etc. as described herein. At 1216, the STA finishes with EAPOL M3 and M4 message exchange, and at 1218 the STA or client joins the WLAN). As per claim 5: Ficara in view of Mohammed discloses the method of claim 1 further comprising: receiving the first list of MAC addresses, including the first MAC address, in the first device group from a provisioning server that authenticates network access (Ficara [0047] Phase 3: PSK to MAC Management: In order to be able to serve and join clients, a persistent storage is provided of the client MAC (client MAC address) to PSK association. Conceptually, this can be trivially done in the WLC. In multi-WLC scenarios, the solution would benefit from external storage in order to avoid inter-WLC synchronization and persistent storage. [0048] One solution is to store the MAC and PSK in the network controller, and more specifically in pre-shared key management logic 150. There are at least two other extensions to solve this issue, by delegating part of the mapping storage to an Authentication, Authorization, and Accounting (AAA) server. Embodiment 6: AAA PSK Exchange [0049] In some embodiments, both an identity services engine (ISE) (an access control policy platform) and the WLC need to know a PSK. Currently, the AAA allows to return a MSK/PMK after individual device authentication on the AAA, or the WLC to perform authentication locally (and thus not perform key-related exchanges with RADIUS)). As per claim 6: Ficara in view of Mohammed discloses the method of claim 5, wherein the first list of MAC addresses in the first device group are received in a message from the provisioning server (Ficara [0025] The mPSK scenario is depicted in FIG. 2. As shown, a wireless station (STA) 210 initiates a connection to an extended WLC (“eWLC,” or simply “WLC”) 220 using Easy PSK. WLC 220 responds with an Extensible Authentication Protocol (EAP) over LAN (EAPOL) M1 message. STA 210, in response, sends an EAPOL M2 message. At this point, eWLC 220 uses an mPSK routine to calculate message information codes (MICs) of each known key to determine the one used by STA 210. Assuming the key is identified, WLC 220 sends an EAPOL M3 message, which triggers an EAPOL M4 message from STA 210. [0052] Reference is now made to FIG. 9, which illustrates a call flow for PSK association with internal known client cache, according to an example embodiment. In the embodiment of FIG. 9, the WLC performs the PSK search. In this case, STA 210 associates to the WLAN via the WLC 220. After the EAPOL M1 and M2 message exchange, WLC 220 checks if the STA MAC address is known. If the MAC address is known, the WLC continues with the EAPOL M3 frame, and subsequent EAPOL M4 message. If the MAC address is not known, WLC 220 performs a search as in the previous embodiments. Once the 4-way handshake completes successfully, WLC 220 queries the radius (i.e., AAA) server 910, using a MAC Authentication Bypass (MAB) frame, forwarding the PSK index, optionally the STA MAC address, and optionally the called-Station-ID (the AP to which the STA 210 is attempting to connect). The radius server 910 returns in the MAB response, the policies for that PSK index in that location (e.g., access not allowed or BW=0). Those skilled in the art will appreciate that these messages can also be carried in other containers (e.g., Change of Authorization (CoA) or others)). As per claim 7: Ficara in view of Mohammed discloses the method of claim 6, wherein the message comprises an additional list of MAC addresses in a shared device group identifying devices that serve as shared network resources (Ficara [0056] Once authentication completes, the PSK is used to define a User Private Network (UPN). In one embodiment, each PSK defines its own private network. The WLC 220 only allows communication between devices sharing the same PSK, and defines a group key (GTK) per PSK on APs in shared spaces where multiple tenants connect simultaneously. [0057] In another embodiment, where WPA2 and multiple keys are used, the apartment is the group unit, and communication is allowed between all stations using the same set of WPA2 keys). As per claim 8: Ficara in view of Mohammed discloses the method of claim 7, wherein the message is a network access accept message (Mohammed [0116] Then, when one or more criteria associated with the policy are met, AAA server 130 may selectively provide an access acceptance message to computer 112 (such as a RADIUS access acceptance message). This access acceptance message may be intended for electronic device 110-1 and may include information for establishing secure access of electronic device 110-1. For example, the access acceptance message may include: an identifier of electronic device 110-1, a tunnel type, a tunnel medium type, a tunnel privilege group identifier, a filter identifier, and the username. [0117] In response, computer 112 may provide the access acceptance message (such as a RADIUS access acceptance message) to access point 116-1. Next, access point 116-1 may provide a third message in the four-way handshake to electronic device 110-1. Furthermore, electronic device 110-1 may provide a fourth message in the four-way handshake to access point 116-1, such as an acknowledgment. At this point, access point 116-1 may establish secure access to the WLAN for electronic device 110-1 (and, more generally, secure access to network 120 and/or network 122, such as an intranet or the Internet). Notably, the secure access may be in a PAN in the WLAN, which is independent of traffic associated with other PANs in the WLAN). As per claim 9: Ficara discloses a method of operating a wireless access point, the method comprising: conveying, by the wireless access point, a user-specific Pre-Shared Key (PSK) for a host device to an authentication system configured to authenticate a network connection for the host device ([0035] wireless access point APs are separated into logical groups in pre-shared key management logic 150 as per phase 1. Then, each subgroup of APs is specifically logically associated with one or more PSKs (in the pre-shared key management logic 150). For example, a single PSK may be associated to APs in a particular house/apartment. In a common area accessible to all tenants, all PSKs may be associated as shown in FIG. 7, which illustrates a PSK to zone mapping by group, according to an example embodiment. As the pre-shared key management logic 150 is used to associate which tenant/unit has access to which common area, the associated PSK is added to the AP group for that common area. FIG. 8 illustrates how a different PSK, e.g., PSK.sub.n and PSK.sub.n+1 are set as defaults for each unit (e.g., apartment) access point (AP) advertising the same service set identifier (SSID), according to an example embodiment. [0036] APs deployed in a non-shared space (e.g., a particular unit) can be configured to service only a small subset of users (and a single tenant contract), and therefore the PSK search space is reduced to 1 (with WPA3, or a few PSKs, if the local policy allows more than one WPA2 PSK per unit). [0037] Then, a seed-from-home method is instantiated. With this method, tenants are requested to establish the first connection from their home, apartment, or unit. As the connection AP is known, this method allows the search space to be reduced to a small set of keys. Then, once the STA authentication completes, the STA MAC address is mapped with the associated PSK); obtaining, by the wireless access point and from the authentication system, a message containing PSK group information identifying a list of devices in a first PSK group that uses the user-specific PSK for authenticating corresponding network connections of the list of devices ([0027] A solution is presented herein with negligible onboarding overhead or possibly none at all, that can support many (e.g., up to 1024) different PSKs in the same WLAN. This solution, referred to herein as “EasyPSK,” allows PSK-based on boarding for multi-tenants, and is enabled by pre-shared key management logic that may be incorporated into WLC 220. [0028] FIG. 3 illustrates a unit to zone mapping in a network controller. A pre-shared key management logic 150, which may be hosted/executed on/by a management tool such as a network controller (e.g., Cisco's Digital Network Architecture (DNAC)), assigns zones (e.g., A1-A7, B1-B8, C1-CA, D1-DD, E1-E3, F1-F7, G1-GB, L1-LA, Common 1, Common 2, Common 3, Common 4, Common 5, Common 6) to a map 300. As indicated, the zones can be common areas or individual dwellings---multiple zone mapping constitute a plurality of groups). ([0029] Using an Application Programming Interface (API) (or pre-shared key management logic 150 itself), a landlord company associates, in a database, each zone to one or more access points (APs). [0035] It is noted that this embodiment does not rely on specific STA, AP or infrastructure support. Rather, in this embodiment, APs are separated into logical groups in pre-shared key management logic 150 as per phase 1. Then, each subgroup of APs is specifically logically associated with one or more PSKs (in the pre-shared key management logic 150). For example, a single PSK may be associated to APs in a particular house/apartment. In a common area accessible to all tenants, all PSKs may be associated as shown in FIG. 7, which illustrates a PSK to zone mapping by group, according to an example embodiment. As the pre-shared key management logic 150 is used to associate which tenant/unit has access to which common area, the associated PSK is added to the AP group for that common area. FIG. 8 illustrates how a different PSK, e.g., PSK.sub.n and PSK.sub.n+1 are set as defaults for each unit (e.g., apartment) access point (AP) advertising the same service set identifier (SSID), according to an example embodiment); and processing, by the wireless access point, layer 2 (L2) frames from the host device based on the PSK group information ([0039] Subsequently, in common areas, pre-shared key management logic 150 performs a lookup to verify the existence of the MAC address in a MAC address to PSK mapping database of pre-shared key management logic 150. Authentication fails if the MAC address is not known). Ficara does not explicitly disclose wherein the host device is in the first PSK group and wherein processing the L2 frames comprises dropping, by the wireless access point, a first L2 frame from the host device and destined for an additional host device in a second PSK group based on the PSK group information. Mohammed, in analogous art however, discloses wherein the host device is in the first PSK group and wherein processing the L2 frames comprises dropping, by the wireless access point, a first L2 frame from the host device and destined for an additional host device in a second PSK group based on the PSK group information ([0185] The network forwarding is based at least in part on the mapped MAC address of end device 620-1, access point 618-1 may replace the MAC address of end device 620-1 inside the ARP response payload with its mapped MAC address. Therefore, end device 620-3 now has the mapped MAC address of end device 620-1. Once the ARP exchange is completed, end device 620-3 may send its message in a frame having its own MAC address as the source MAC address and the mapped MAC address for end device 620-1 as the destination MAC address. End device 620-3 sending the frame and the network know the destination device by its mapped MAC address, not its native MAC address. Therefore, when the frame arrives at access point 618-1, access point 618-1 may know end device 620-1 is a member of group identifier 1, and may replace the destination MAC address in the frame with the native MAC address of end device 620-1. Otherwise, end device 620-1 would filter the frame. [0243] As shown in Table 1, the mapped MAC address may include a MAC organizationally unique identifier, the group identifier and the device identifier. Note that the MAC organizationally unique identifier has a range of 2.sup.24 MAC addresses. In order to assure there is no conflict with any other MAC addresses present on the network in a hotel, a new MAC organizationally unique identifier may be obtained (e.g., from the IEEE) and used for MAC-mapping purposes. In this example, two bytes have been reserved for the group identifier (accommodating up to 6,5535 rooms in a hotel) and 1 byte has been reserved for the device identifier (accommodating 256 end devices per guest). However, other mapped MAC address formats are possible. In some embodiments, if the MAC organizationally unique identifier is f0:b0:52, the first end device is assigned to room 1 (group identifier 1) and the device identifier is 9, its mapped MAC address may be fD:b0:52:00:01:09. [0244] Suppose that a first end device has a frame to send to a second end device. The access point may receive the frame, may map the source MAC address of the frame as described previously and, by inspecting the destination MAC address in the frame, may determine that the frame is destined to the second end device. Because the access point knows (from DPSK authentication) that end device is a member of group identifier 1, and because the mapped source MAC address has a matching group identifier, the access point may forward the frame to the second end device. However, if the group identifier in the mapped MAC address did not match the group identifier of the destination device, the access point would filter (or drop) the frame). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the network device disclosed by Ficara to include wherein the host device is in the first PSK group and wherein processing the L2 frames comprises dropping, by the wireless access point, a first L2 frame from the host device and destined for an additional host device in a second PSK group based on the PSK group information. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by a compelling desire to provide techniques for authenticating one or more devices to a dynamic personal area network (PAN) in a network based on a passphrase or certificate-based authentication and a policy associated with the network, such as a policy that is based at least in part on a condition as suggested by Mohammed ([0007-00008]). As per claim 10: Ficara in view of Mohammed discloses the method of claim 9, wherein the message includes shared group information identifying an additional list of devices in a shared device group and wherein processing the L2 frames is further based on the shared group information (Mohammed [0188] AAA server 612 may keep a list of each of end devices 620 of a user (which may be stored persistently in user DB 616 or AAA server 612). This list may include a unique device identifier for each and every MAC address. As long as a single end user does not have, e.g., more than 256 end devices, this can work well. If more than 256 end devices occur, AAA server 612 may remove from the list the end device having the oldest date/time when it last authenticated to the network (and, thus, is likely no long being used by the user)). As per claim 11: Ficara in view of Mohammed discloses the method of claim 10, wherein the PSK group information comprises a first list of hardware addresses of devices in the list of devices and wherein the shared group information comprises a second list of hardware addresses of devices in the additional list of devices (Mohammed [0143] Then, the interface circuit in access point 116-1 may provide a message 512 with a random number that is associated with access point 116-1 (such as an ANonce). After receiving message 512, electronic device 110-1 (such as a processor in electronic device 110-1) may perform a cryptographic calculation (CC) 514 using a passphrase (such as a DPSK), the random number from access point 116-1, a random number associated with electronic device 110-1 (such as an SNonce), an identifier of access point 116-1 (such as a MAC address), and/or an identifier of electronic device 110-1 (such as a MAC address). Moreover, the interface circuit in electronic device 110-1 may provide a message 516 with inputs to the cryptographic calculation 514 and an output of the cryptographic calculation 514. For example, message 516 may include the random number associated with electronic device 110-1 and a MIC). As per claim 12: Ficara in view of Mohammed discloses the method of The method of wherein processing the L2 frames comprises comparing a source hardware address of a second L2 frame to one or more hardware addresses by in the second list of hardware addresses in the shared group information (Ficara [0034] Similar to Embodiment 1, the client is provided with both PSK and index (in the form of a single password/key). In this embodiment, the EAPOL-key Frame field 8 600 may be leveraged since it is left unused (“Reserved”) in the IEEE 802.11 standards, as shown in FIG. 6. Field 8 600 was left as padding to allow the Key Information IE+Key Data IE to round up to an 8-multiple. This field may be used to carry the PSK index. In this embodiment, the PSK index is not a Layer 2 element, but the index provided by the landlord to the tenant. Just like in Embodiment 1, the index is then used to match the client attempt against a single PSK). As per claim 13: Ficara in view of Mohammed discloses the method of claim 11, wherein processing the L2 frames comprises comparing a destination hardware address of a second L2 frame to one or more hardware addresses by in the second list of hardware addresses in the shared group information (Ficara [0060] On the other hand, if at operation 1212, the MAC of the STA was not known, then one of three possible operations are possible to find a match between the MAC address of the STA and a PSK. At 1220, location-based onboarding may be used. This onboarding can make use of the PSKs configured for a given AP at the location. At 1222, the STA may be given a PSK via a VSIE using an index, and then a PSK corresponding to that index is used. Alternatively, at 1224, a PSK index value can be delivered to the STA via an EAPOL key frame reserved field, and then the PSK corresponding to that index may be used. In the end, at 1228, pre-shared key management logic 150 and/or WLC 220 determines if there is a match between the MAC address of the STA seeking to join the wireless network and a PSK. If not, the STA (client) is rejected at 1230)). As per claim 14: Ficara in view of Mohammed discloses the method of claim 9, wherein processing the L2 frames comprises making a determination, based on the PSK group information, that a source hardware address of the first L2 frame and a destination hardware address of the first L2 frame are of devices in different PSK groups and wherein the first L2 frame is dropped based on the determination (Ficara [0061] If there is a match between the MAC address of the STA and a PSK, then at 1226 pre-shared key management logic 150 may publish that binding to a radius (AAA) server, WLC or other node that may make use of such binding to maintain or establish a desired policy. Operations 1216 and 1218 are then execute to enable the STA (client) to join the WLAN). As per claim 15: Ficara in view of Mohammed discloses the method of claim 9, wherein processing the L2 frames comprises forwarding a second L2 frame from the host device and destined for a different host device in the first PSK group based on the PSK group information (Ficara [0052] In this case, STA 210 associates to the WLAN via the WLC 220. After the EAPOL M1 and M2 message exchange, WLC 220 checks if the STA MAC address is known. If the MAC address is known, the WLC continues with the EAPOL M3 frame, and subsequent EAPOL M4 message. If the MAC address is not known, WLC 220 performs a search as in the previous embodiments. Once the 4-way handshake completes successfully, WLC 220 queries the radius (i.e., AAA) server 910, using a MAC Authentication Bypass (MAB) frame, forwarding the PSK index, optionally the STA MAC address, and optionally the called-Station-ID (the AP to which the STA 210 is attempting to connect). The radius server 910 returns in the MAB response, the policies for that PSK index in that location (e.g., access not allowed or BW=0). Those skilled in the art will appreciate that these messages can also be carried in other containers (e.g., Change of Authorization (CoA) or others). As per claim 16: Ficara in view of Mohammed discloses the method of claim 15, wherein processing the L2 frames comprises forwarding a third L2 frame from the host device and destined for to or source from a shared host device in a shared group (Ficara [0058] FIG. 11 shows a database scheme for associating the several parameters described according to an example embodiment. As can be seen in FIG. 11, WLC 220 may maintain information about devices (e.g., STAs), policies, PSK, and zone/APs. Radius server 910 may maintain information about tenants, policies, PSK, zone/APs and onboarding PSKs. And pre-shared key management logic 150 may maintain information about apartments (units) and APs. Those skilled in the art will appreciate that the location where the several data elements are stored is provided as an example, and other distributions or arrangements are possible). As per claim 17: Ficara in view of Mohammed discloses the method of claim 9, wherein processing the L2 frames comprises: dropping a first broadcast, unknown unicast, or multicast (BUM) L2 frame from the host device and outputting one or more unicast L2 frames having destination hardware addresses in the first a same PSK group (Mohammed [0217] During operation of the system, the access points may have been configured via their controller(s) to broadcast the SSID of the hotel. Over the air, the security advertised may be WPA-personal or WPA2-personal. [0218] Then, a guest may turn on their wireless electronic device or may bring an electronic device that is already operating into their room and, thus, into radio range of one of the access points in the hotel. The wireless electronic device may discover the WLAN being broadcast by the access point, may realize that it (the electronic device) has been configured with a PSK (or passphrase) for that SSID, and may join the network. Upon joining the network, the electronic device may begin PSK authentication). As per claim 18: Ficara discloses one or more non-transitory computer-readable storage media comprising computer-executable instructions that, when executed by one or more processors for a network device, cause the one or more processors to: maintain device group information that includes first and second user groups each identifying a list of host devices belonging to the respective user group and that includes a shared device group identifying a list of shared host devices ([0028] FIG. 3 illustrates a unit to zone mapping in a network controller. A pre-shared key management logic 150, which may be hosted/executed on/by a management tool such as a network controller (e.g., Cisco's Digital Network Architecture (DNAC)), assigns zones (e.g., A1-A7, B1-B8, C1-CA, D1-DD, E1-E3, F1-F7, G1-GB, L1-LA, Common 1, Common 2, Common 3, Common 4, Common 5, Common 6) to a map 300. As indicated, the zones can be common areas or individual dwellings---multiple zone mapping constitute a plurality of groups); and process a plurality of frames from a first host device identified in the first user group based on the maintained device group information by ([0036] APs deployed in a non-shared space (e.g., a particular unit) can be configured to service only a small subset of users (and a single tenant contract), and therefore the PSK search space is reduced to 1 (with WPA3, or a few PSKs, if the local policy allows more than one WPA2 PSK per unit). [0037] Then, a seed-from-home method is instantiated. With this method, tenants are requested to establish the first connection from their home, apartment, or unit. As the connection AP is known, this method allows the search space to be reduced to a small set of keys. Then, once the STA authentication completes, the STA MAC address is mapped with the associated PSK); forwarding a second frame destined for a third host device identified in the first user group, based on ([0052] AAA PSK Policy Delegation illustrates a call flow for PSK association with internal known client cache, according to an example embodiment. In the embodiment of FIG. 9, the WLC performs the PSK search. In this case, STA 210 associates to the WLAN via the WLC 220. After the EAPOL M1 and M2 message exchange, WLC 220 checks if the STA MAC address is known. If the MAC address is known, the WLC continues with the EAPOL M3 frame, and subsequent EAPOL M4 message. If the MAC address is not known, WLC 220 performs a search as in the previous embodiments. Once the 4-way handshake completes successfully, WLC 220 queries the radius (i.e., AAA) server 910, using a MAC Authentication Bypass (MAB) frame, forwarding the PSK index, optionally the STA MAC address, and optionally the called-Station-ID (the AP to which the STA 210 is attempting to connect). The radius server 910 returns in the MAB response, the policies for that PSK index in that location (e.g., access not allowed or BW=0). Those skilled in the art will appreciate that these messages can also be carried in other containers (e.g., Change of Authorization (CoA) or others)); and forwarding a third frame destined for a shared host device identified in the shared device group ([0053] AAA PSK Search Delegation the search task is initially performed in the AAA server. A call flow for PSK association with known client cache on a Remote Authentication Dial-In User Service (RADIUS) server, according to an example embodiment. In this case, at the association phase, the WLC 220 verifies if it has a map between the requesting MAC address and the PSK (and uses that PSK if a mapping is found). If the MAC address is not found, the WLC 220 relays the query to the radius server 910). [0085] In sum, in one embodiment a method is provided. The method includes defining a plurality of geographical zones corresponding to a geographical area that is serviced by a common service set identifier for a wireless local area network; assigning a pre-shared key to a mobile station based on the plurality of geographical zones, wherein the pre-shared key is associated with predetermined policies for a user of the mobile station; associating a media access control address of the mobile station with the pre-shared key; and controlling access of the mobile station to the wireless local area network based on the predetermined policies. [0086] In an embodiment, the method may further include respectively associating access points for the wireless local area network to individual geographical zones in the plurality of geographical zones. Ficara does not explicitly disclose dropping a first frame destined for a second host device identified in the second user group, comparing a source MAC address of the second frame to MAC addresses of the list of host devices belonging to the first user group and based on comparing a destination MAC address of the second frame to the MAC addresses of the list of host devices belonging to the first user group. Mohammed, in analogous art however, discloses dropping a first frame destined for a second host device identified in the second user group, comparing a source MAC address of the second frame to MAC addresses of the list of host devices belonging to the first user group and based on comparing a destination MAC address of the second frame to the MAC addresses of the list of host devices belonging to the first user group ([0185] The network forwarding is based at least in part on the mapped MAC address of end device 620-1, access point 618-1 may replace the MAC address of end device 620-1 inside the ARP response payload with its mapped MAC address. Therefore, end device 620-3 now has the mapped MAC address of end device 620-1. Once the ARP exchange is completed, end device 620-3 may send its message in a frame having its own MAC address as the source MAC address and the mapped MAC address for end device 620-1 as the destination MAC address. End device 620-3 sending the frame and the network know the destination device by its mapped MAC address, not its native MAC address. Therefore, when the frame arrives at access point 618-1, access point 618-1 may know end device 620-1 is a member of group identifier 1, and may replace the destination MAC address in the frame with the native MAC address of end device 620-1. Otherwise, end device 620-1 would filter the frame. [0243] As shown in Table 1, the mapped MAC address may include a MAC organizationally unique identifier, the group identifier and the device identifier. Note that the MAC organizationally unique identifier has a range of 2.sup.24 MAC addresses. In order to assure there is no conflict with any other MAC addresses present on the network in a hotel, a new MAC organizationally unique identifier may be obtained (e.g., from the IEEE) and used for MAC-mapping purposes. In this example, two bytes have been reserved for the group identifier (accommodating up to 6,5535 rooms in a hotel) and 1 byte has been reserved for the device identifier (accommodating 256 end devices per guest). However, other mapped MAC address formats are possible. In some embodiments, if the MAC organizationally unique identifier is f0:b0:52, the first end device is assigned to room 1 (group identifier 1) and the device identifier is 9, its mapped MAC address may be fD:b0:52:00:01:09. [0244] Suppose that a first end device has a frame to send to a second end device. The access point may receive the frame, may map the source MAC address of the frame as described previously and, by inspecting the destination MAC address in the frame, may determine that the frame is destined to the second end device. Because the access point knows (from DPSK authentication) that end device is a member of group identifier 1, and because the mapped source MAC address has a matching group identifier, the access point may forward the frame to the second end device. However, if the group identifier in the mapped MAC address did not match the group identifier of the destination device, the access point would filter (or drop) the frame). Therefore, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the claimed limitations of the network device disclosed by Ficara to include wherein the host device is in the first PSK group and wherein processing the L2 frames comprises dropping, by the wireless access point, a first L2 frame from the host device and destined for an additional host device in a second PSK group based on the PSK group information. This modification would have been obvious because a person having ordinary skill in the art would have been motivated by a compelling desire to provide techniques for authenticating one or more devices to a dynamic personal area network (PAN) in a network based on a passphrase or certificate-based authentication and a policy associated with the network, such as a policy that is based at least in part on a condition as suggested by Mohammed ([0007-00008]). As per claim 19: Ficara in view of Mohammed discloses the one or more non- transitory computer-readable storage media of claim 18 further comprising computer-executable instructions that, when executed by the one or more processors for the network device, cause the one or more processors to receive additional device group information from a provisioning server and update the maintained device group information based on the additional device group information (Ficara [0048] One solution is to store the MAC and PSK in the network controller, and more specifically in pre-shared key management logic 150. There are at least two other extensions to solve this issue, by delegating part of the mapping storage to an Authentication, Authorization, and Accounting (AAA) server). As per claim 20: Ficara in view of Mohammed discloses the one or more non-transitory computer-readable storage media of claim 19, wherein the network device comprises a wireless access point (Ficara [0020] Providing wireless local area network (WLAN), e.g., Wi-Fi®, network connectivity to tenants of multi-dwelling units (MDUs) has challenges. Reference is made to FIG. 1, which is a diagram depicting challenges associated with providing wireless network access in multi-dwelling communities for which the techniques presented herein are configured to address using pre-shared key management logic 190 in accordance with an example embodiment. As can be seen in the figure, a single (neighborhood) service set identifier (SSID) 110 is typically assigned for the entire complex 100 so that users can walk to common areas, from their unit (e.g., apartment) 120, without having to learn a new SSID and so that the landlord only needs to manage a single SSID, instead of managing a different SSID per unit. For example, a user might first visit their new unit 120, and them later, and over time, a pool 130, or fitness center 140. Wireless network access at each of these locations may be controlled, as will be explained in more detail below, by pre-shared key management logic 190. At a high level pre-shared key management logic 190 assigns and keeps track of polices associated with pre-shared keys that are assigned to individual users (e.g., tenants)). Conclusion The prior arts made of record and not relied upon are considered pertinent to applicant's disclosure. See the notice of reference cited in form PTO-892 for additional prior arts. Contact Information Any inquiry concerning this communication or earlier communications from the examiner should be directed to TECHANE GERGISO whose telephone number is (571)272-3784. The examiner can normally be reached 9:30am to 6:30pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LINGLAN EDWARDS can be reached at (571) 270-5440. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TECHANE GERGISO/Primary Examiner, Art Unit 2408