Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsHewlett Packard Enterprise Development LP › 18315269
Last updated: April 18, 2026
Application No. 18/315,269

APPLYING A GROUP BASED POLICY TO NETWORK TRAFFIC FROM A CLIENT

Final Rejection §103
Filed
May 10, 2023
Examiner
BROWN, CHRISTOPHER J
Art Unit
2439
Tech Center
2400 — Computer Networks
Assignee
Hewlett Packard Enterprise Development LP
OA Round
2 (Final)
75%
Grant Probability
Favorable
3-4
OA Rounds
3y 6m
To Grant
88%
With Interview

Interview Optional

+12.6% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 707 resolved cases, 2023–2026

Examiner Intelligence

BROWN, CHRISTOPHER J View full profile →
Grants 75% — above average
75%
Career Allow Rate
533 granted / 707 resolved
+17.4% vs TC avg
Moderate +13% lift
Without
With
+12.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 6m
Avg Prosecution
36 currently pending
Career history
743
Total Applications
across all art units

Statute-Specific Performance

§101
12.7%
-27.3% vs TC avg
§103
54.6%
+14.6% vs TC avg
§102
10.4%
-29.6% vs TC avg
§112
11.1%
-28.9% vs TC avg
Black line = Tech Center average estimate • Based on career data from 707 resolved cases

Office Action

§103
Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. Applicant argues that Lei US 2006/002686 does not anticipate the claims at issue because a group identifier identifies role traffic policy that is “independent of authorization of individual data requests”. Examiner would argue that the roles and access control based on roles as taught by Lei are also independent of “individual data requests”. In the interest of advancing prosecution, Examiner has included Voit US 2018/0139240 to be more explicit. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1, 8, 9, 11, 12, 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240. As per claim 1. Lei teaches A method comprising: intercepting, by a proxy service on a proxy network device, a network access request message pertaining to a client from an access device on a network; forwarding, by the proxy service on the proxy network device, the network access request message to an authentication server; [0024] (teaches requesting access to a server that is forwarded through a proxy) Lei teaches intercepting, by the proxy service on the proxy network device, a network access response message including role information of the client from the authentication server; Lei teaches obtaining, by the proxy service on the proxy network device, the role information of the client from the network access response message; [0009][0046][0047] (teaches reverse proxy receives data from the origin or security server, including role information of the client) Lei teaches and in response to receiving network traffic from the client: identifying, by the proxy service on the proxy network device, a group based policy (GBP) corresponding to the role information of the client; and applying, by the proxy service on the proxy network device, the group based policy to the network traffic from the client. [0037][0043][0047][0051][0054] (teaches the proxy enforcing security based on role and access control groups and whether to allow communication based on said group security permissions) Voit teaches mapping role information to a group identifier wherein the group based policy comprises role derived traffic policy identified by the group ID that defines rules governing treatment of network traffic associated with clients assigned to that role independent of authorization of individual data requests. [0027][0029][0030] (teaches security group tags applied to a network flow, the group applying to a group, and policy enforcement for network traffic based on the security group and role based access control) It would have been obvious to one of ordinary skill in the art before the priority date of the instant application to use the teaching of Voit with the prior art because it improves network security. As per claim 8. Lei teaches The method of claim 1, wherein intercepting the network access response message comprises intercepting a network access acceptance message from the authentication server. [0009][0031][0046] (teaches intercepting and monitoring traffic, receiving security information from server) As per claim 9. Lei teaches the method of claim 1, wherein obtaining comprises receiving, by the proxy service on the proxy network device, the GBP from the authentication server. [0009][0033][0037][0043][0047][0051][0054] (teaches the proxy enforcing security based on role and access control groups and whether to allow communication based on said group security permissions) As per claim 11. Lei teaches the method of claim 1, wherein the GBP corresponding to the role information of the client is present on the proxy network device. [0009][0033][0037][0043][0047][0051][0054] (teaches the proxy enforcing security based on role and access control groups and whether to allow communication based on said group security permissions) As per claim 12. Lei teaches A proxy network device comprising: a processor; and a non-transitory storage medium storing instructions that, when executed by the processor, cause the proxy network device to: intercept a network access request message pertaining to a client from an access device on a network; [0024] (teaches requesting access to a server that is forwarded through a proxy) Lei teaches forward the network access request message to an authentication server; intercept a network access response message including role information of the client from the authentication server; obtain the role information of the client from the network access response message; [0009][0046][0047] (teaches reverse proxy receives data from the origin or security server, including role information of the client) Lei teaches and in response to receiving network traffic from the client: identify a group based policy (GBP) corresponding to the role information of the client; and apply the group based policy to the network traffic from the client. [0037][0043][0047][0051][0054] (teaches the proxy enforcing security based on role and access control groups and whether to allow communication based on said group security permissions) Voit teaches mapping role information to a group identifier wherein the group based policy comprises role derived traffic policy identified by the group ID that defines rules governing treatment of network traffic associated with clients assigned to that role independent of authorization of individual data requests. [0027][0029][0030] (teaches security group tags applied to a network flow, the group applying to a group, and policy enforcement for network traffic based on the security group and role based access control) It would have been obvious to one of ordinary skill in the art before the priority date of the instant application to use the teaching of Voit with the prior art because it improves network security. As per claim 13. Lei teaches the proxy network device of claim 12, wherein the proxy network device is further to intercept the network access request message sent from the access device to the authentication server. [0009][0031][0046] (teaches intercepting and monitoring traffic, receiving security information from server) Claim(s) 3, 4, 5, 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240 in view of Desai US 20210282069. As per claim 3. Desai teaches the method of claim 1, wherein the network access response message includes a Media Access Control (MAC) address of the client. [0011]-[0013] [0030] [0037][0054] (teaches mapping a MAC address to a role and using said information at access points to approve or deny communications) As per claim 4. Desai teaches the method of claim 3, further comprising: obtaining, by the proxy service on the proxy network device, the MAC address of the client from the network access response message; mapping, by the proxy service on the proxy network device, the MAC address of the client to the role information of the client; and storing, by the proxy service on the proxy network device, the mapping between the MAC address with the role information of the client. [0011]-[0013] [0030] [0037][0054] (teaches mapping a MAC address to a role and using said information at access points to approve or deny communications) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Desai with the prior art because it improves security. As per claim 5. Desai teaches the method of claim 4, further comprising: sending, by the proxy service on the proxy network device, the mapping between the MAC address and the role information of the client to a second access device, wherein the GBP corresponding to the role information of the client is applied to the network traffic received on the second access device from the client. [0023] (teaches network discovery protocol which allows access points to share policies and roles, etc) As per claim 6. Desai teaches the method of claim 5, wherein the access device and the second access device are access points (APs). [0025][0054] (access points) Claim(s) 2, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240 in view of Boutros US 2018/0097734. As per claim 2. Boutros teaches the method of claim 1, wherein intercepting the network access request message comprises listening to network communication from an Anycast IP address configured on the access device. [0003][0018][0028] (teaches configuring router to use Anycast IP address to further communicate with external networks) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Boutros with the prior art because it simplifies network routing. As per claim 14. Boutros teaches the proxy network device of claim 12, wherein the proxy network device is further to listen to network communication from an Anycast IP address configured on the access device to intercept the network access request message. [0003][0018][0028] (teaches configuring router to use Anycast IP address to further communicate with external networks) Claim(s) 7, 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240 in view of Sethi US 2023/0049341. As per claim 7. Sethi teaches the method of claim 1, wherein intercepting the network access request message comprises intercepting an Extensible Authentication Protocol (EAP) response message of the client. [0015][0017] (teaches interception of EAP from client and forwarding to authentication server) It would have been obvious to one of ordinary skill in the art to use the teaching of Sethi with the prior art because it expands the amount of authentication method compatibility and increases security. As per claim 10. Sethi teaches the method of claim 1, wherein the proxy service is a Remote Authentication Dial-In User Service (RADIUS) proxy service and the authentication server is a RADIUS server. [0053][0064] (teaches the authentication server is a RADIUS server) Claim(s) 15-16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240 in view of Sivaraj US 2017/0195220. As per claim 15. Sivaraj teaches the proxy network device of claim 12, wherein the network comprises a Virtual Extensible Local Area Network (VXLAN). [0011]-[0015] (teaches use of VXLAN) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Sivaraj with the prior art because it allows implementation of virtual networks. As per claim 16. Lei teaches A non-transitory machine-readable storage medium comprising instructions that upon execution cause a proxy network device to: intercept, via a proxy service on the proxy network device, forward, via the proxy service on the proxy network device, the network access request message to an authentication server; [0024] (teaches requesting access to a server that is forwarded through a proxy) Lei teaches intercept, via the proxy service on the proxy network device, a network access response message including role information of the client from the authentication server; [0009][0046][0047] (teaches reverse proxy receives data from the origin or security server, including role information of the client) Lei teaches obtain, via the proxy service on the proxy network device, the role information of the client from the network access response message; and in response to receiving network traffic from the client: identify, via the proxy service on the proxy network device, a group based policy (GBP) corresponding to the role information of the client; and apply, via the proxy service on the proxy network device, the group based policy to the network traffic from the client. [0037][0043][0047][0051][0054] (teaches the proxy enforcing security based on role and access control groups and whether to allow communication based on said group security permissions) Voit teaches mapping role information to a group identifier wherein the group based policy comprises role derived traffic policy identified by the group ID that defines rules governing treatment of network traffic associated with clients assigned to that role independent of authorization of individual data requests. [0027][0029][0030] (teaches security group tags applied to a network flow, the group applying to a group, and policy enforcement for network traffic based on the security group and role based access control) It would have been obvious to one of ordinary skill in the art before the priority date of the instant application to use the teaching of Voit with the prior art because it improves network security. Sivaraj teaches a network access request message pertaining to a client from an access device on a VXLAN; [0011]-[0015] (teaches use of VXLAN) It would have been obvious to one of ordinary skill in the art at the time the invention was filed to use the teaching of Sivaraj with the prior art because it allows implementation of virtual networks. Claim(s) 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Lei US 2006/0026286 in view of Voit US 2018/0139240 in view of Sivaraj US 2017/0195220 in view of Desai US 2021/0282069. As per claim 17. Desai teaches The non-transitory machine-readable storage medium of claim 16, further comprising instructions to: obtain, via the proxy service on the proxy network device, a MAC address of the client from the network access response message; map, via the proxy service on the proxy network device, the MAC address of the client with the role information of the client; and store, by the proxy service on the proxy network device, the mapping between the MAC address and the role information of the client. [0011]-[0013] [0030] [0037][0054] (teaches mapping a MAC address to a role and using said information at access points to approve or deny communications) As per claim 18. Desai teaches The non-transitory machine-readable storage medium of claim 17, further comprising instructions to: send the mapping between the MAC address and the role information of the client to a second access device, wherein the GBP corresponding to the role information of the client is applied to the network traffic received on the second access device from the client. [0011]-[0013] [0030] [0037][0054] (teaches mapping a MAC address to a role and using said information at access points to approve or deny communications) As per claim 19. Sivaraj teaches The non-transitory machine-readable storage medium of claim 18, further comprising instructions to send the mapping between the MAC address and the role information of the client via a VXLAN. [0011]-[0015] (teaches use of VXLAN and mapping MAC address of the client) As per claim 20. Desai teaches The non-transitory machine-readable storage medium of claim 16, further comprising instructions to authenticate the access device through the authentication server prior to forwarding the network access request message to the authentication server. [0011]-[0013] [0030] [0037][0054] (teaches mapping a MAC address to a role and using said information at access points to approve or deny communications) Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER BROWN whose telephone number is (571)272-3833. The examiner can normally be reached M-F 8-5. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached at (571) 270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439
Read full office action

Prosecution Timeline

May 10, 2023
Application Filed
Oct 30, 2025
Non-Final Rejection — §103
Jan 26, 2026
Interview Requested
Feb 05, 2026
Examiner Interview Summary
Feb 12, 2026
Response Filed
Apr 02, 2026
Final Rejection — §103 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/323,853
Patent 12603822
SOFTWARE AS A SERVICE (SaaS) USER INTERFACE (UI) FOR DISPLAYING USER ACTIVITIES IN AN ARTIFICIAL INTELLIGENCE (AI)-BASED CYBER THREAT DEFENSE SYSTEM
2y 5m to grant Granted Apr 14, 2026
18/637,260
Patent 12574725
METHODS, APPARATUSES, COMPUTER PROGRAMS AND CARRIERS FOR SECURITY MANAGEMENT BEFORE HANDOVER FROM 5G TO 4G SYSTEM
2y 5m to grant Granted Mar 10, 2026
17/684,585
Patent 12563390
AUTHENTICATING A DEVICE IN A COMMUNICATION NETWORK OF AN AUTOMATION INSTALLATION
2y 5m to grant Granted Feb 24, 2026
18/542,786
Patent 12563056
SYSTEM AND METHOD FOR MONITORING AND MANAGING COMPUTING ENVIRONMENT
2y 5m to grant Granted Feb 24, 2026
18/473,438
Patent 12537828
ON-DEMAND SOFTWARE-DEFINED SECURITY SERVICE ORCHESTRATION FOR A 5G WIRELESS NETWORK
2y 5m to grant Granted Jan 27, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
75%
Grant Probability
88%
With Interview (+12.6%)
3y 6m
Median Time to Grant
Moderate
PTA Risk
Based on 707 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month