CLOSED-LOOP NETWORK PROVISIONING BASED ON NETWORK ACCESS CONTROL FINGERPRINTING

§101 §102 §103

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1-5, 9, and 12-20 were amended by preliminary amendments, claim 1-20 are pending. Double Patenting The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The filing of a terminal disclaimer by itself is not a complete reply to a non-statutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13. The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer. Instant application 18/927424 US 12166758 B2 Claim 1. A method comprising: obtaining attribute information of a client device associated with a network access request to access a network, and based on the attribute information of the client device, provisioning one or more network resources for a data path with resource information corresponding to the attribute information of the client device, the data path being between the client device and the network. 1. A method comprising: receiving, by a network access control (NAC) system, a network access request for a client device to access an enterprise network; obtaining, by the NAC system, fingerprint information of the client device associated with the network access request, wherein the fingerprint information comprises information specifying one or more attributes associated with the client device; authenticating, by the NAC system, the client device to access the enterprise network; sending, by the NAC system and to a network management system (NMS), the fingerprint information of the client device; and provisioning, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device, wherein provisioning the one or more network resources includes provisioning one or more network devices along a data path from the client device to the enterprise network with resource information corresponding to the one or more attributes associated with the client device. Claim 12. A system comprising: memory; and processing circuitry in communication with the memory and configured to: obtain attribute information of a client device associated with a network access request to access a network, and based on the attribute information of the client device, provision one or more network resources for a data path with resource information corresponding to the attribute information of the client device, the data path being between the client device and the network. 12. A system comprising: a network management system (NMS) configured to manage a plurality of network resources associated with an enterprise network; and a network access control (NAC) system in communication with the NMS, the NAC system configured to: receive a network access request for a client device to access an enterprise network, obtain fingerprint information of the client device associated with the network access request, wherein the fingerprint information comprises information specifying one or more attributes associated with the client device, authenticate, by the NAC system, the client device to access the enterprise network, and send, to the NMS, the fingerprint information of the client device; wherein the NMS is configured to provision one or more network resources associated with the client device based on the fingerprint information of the client device, wherein to provision the one or more network resources, the NMS is configured to provision one or more network devices along a data path from the client device to the enterprise network with resource information corresponding to the one or more attributes associated with the client device. Claim 20. Non-transitory computer-readable storage media medium storing instructions that when executed causes processing circuitry cause one or more processors to: obtain attribute information of a client device associated with a network access request to access a network, and based on the attribute information of the client device, provision one or more network resources for a data path with resource information corresponding to the attribute information of the client device, the data path being between the client device and the network. 20. A computer-readable storage medium storing instructions that when executed cause one or more processors to: receive, by a network access control (NAC) system, a network access request for a client device to access an enterprise network; obtain, by the NAC system, fingerprinting information of the client device associated with the network access request, wherein the fingerprint information comprises one or more attributes associated with the client device; authenticate, by the NAC system, the client device to access the enterprise network; send, by the NAC system and to a network management system (NMS), the fingerprint information of the client device; and provision, by the NMS, one or more network resources associated with the client device based on the fingerprint information of the client device, wherein to provision the one or more network resources, the instructions cause the one or more processors to provision one or more network devices along a data path from the client device to the enterprise network with resource information corresponding to the one or more attributes associated with the client device. Claims 1-20 are rejected on the ground of non-statutory double patenting as being unpatentable over claims1-20 of U.S. Patent No. US 12166758 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because similar limitations with minor variations. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claim 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. Regarding claim 1, the claim recites a method comprising a combination of “Obtaining…”, and “provisioning…”, the recited method is a process, which is a statutory category of invention. At step 2A, prong one analysis, the claim recites “obtaining attribute information of a client device associated with a network access request to access a network”; “based on the attribute information of the client device, provisioning one or more network resources for data path with resource information corresponding to the attribute information of the client device”; These limitations can be performed manually like, getting client serial number manually, giving access control device id or gateway (SSID or name) to connect user(client) by looking into paper where client vs AP/NAC/access controller list. These limitations - recite a mental process – that is a concept which may be performed in the human mind, such as an observation, evaluation, judgment, or opinion. (see MPEP 2106.04(a)(2). The courts do not distinguish between mental processes that are performed entirely in the human mind and mental processes that require a human to use a physical aid (e.g., pen and paper or a slide rule) to perform the claim limitation. (see MPEP 2106.04(a)(2).) At step 2A, prong two analysis, the claim is directed to a judicial exception and not integrated into a practical application. The claim, as a whole, just gives an indication of approval for using network resource based on collected attribute (provisioning one or more network resources). Additionally, “the data path being between the client device and the network” (providing Ip address of gateway) can be considered as insignificant extra-solution activity (see MPEP 2106.05(g)). At step 2B, the claim does not have additional elements that are sufficient to amount to significantly more than the judicial exception. Thus, the claim does not provide significantly more than the judicial exception of an abstract idea. The claim is not patent eligible. Independent claims 12 and 20 has similar limitations also rejected by same rational. Claims 2 and 13 recites the limitations “wherein obtaining the attribute information comprises: performing a lookup of an identifier of the client device in a user directory associated with the enterprise network” and “determining based on the lookup, the one or more attributes associated which the client device” is an insignificant extra solution activity. Thus, this claim recites an abstract idea (see 2106.05(g). Similarly, claims 3-11 and 14-19 also are directed an abstract idea without significantly more than the judicial exception. Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 12, 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Delker et al(US 8363658 B1). With regards to Claim 1, Delker discloses, A method (Col 11 10-15; Turning now to FIG. 3, another method 300 of dynamically provisioning a virtual local area network is provided)comprising: obtaining attribute information of a client device associated with a network access request to access a network (FIG 3 302-304 and associated text; Col 35-50; Beginning at block 302, the authentication/authorization application 110 receives a request from the access device 130 to on behalf of a client device 150 to authenticate the client device 150 and provide it access to specific network services. At block 304, the authentication/authorization application 110 in authenticating the client device 150 examines credentials or other identifying or qualifying information provided by the client device 150 and any policies associated with the client device 150 and or network services requested.), and based on the attribute information of the client device (FIG 3 304 and associated text), provisioning one or more network resources for a data path with resource information corresponding to the attribute information of the client device (FIG 3 306 and associated text; Col 11 line 45-65; At block 306, the authentication/authorization application 110 determines that the client device 150 is a member of a group wherein all members of the group who attempt to access one or more specific network services are to be assigned the same virtual local area network tag, subnet interface configuration, and physical port designation on the access device 130 and firewall device 140.; abstract: A system is provided comprising a computer system, a configuration database, and a dynamic network interfaces application that receives a message from a network access component containing a request to authenticate a client device accessing a network service, determines that a policy requires the client device to be associated with a virtual local area network to access the network service, and authenticates the client device for association with the virtual local area network. The dynamic network interfaces application also searches the configuration database for configuration information to provision the virtual local area network, assigns the configuration information to the client device, the network access component, and a firewall component, and sends a reply containing the configuration information to the network access component and the firewall component in response to the request, wherein the configuration information comprises settings to provision the virtual local area network.), the data path being between the client device and the network (FIG 1 and associated text; network access component 130 in data path between client 150 and network 190 ). With regards to claim 12, Delker discloses, A system (FIG 7 and associated text) comprising: memory (FIG 7 386, 388 and associated text); and processing circuitry in communication with the memory (FIG 7 382 and associated text) and configured to: obtain attribute information of a client device associated with a network access request to access a network (FIG 3 302-304 and associated text; Col 35-50; Beginning at block 302, the authentication/authorization application 110 receives a request from the access device 130 to on behalf of a client device 150 to authenticate the client device 150 and provide it access to specific network services. At block 304, the authentication/authorization application 110 in authenticating the client device 150 examines credentials or other identifying or qualifying information provided by the client device 150 and any policies associated with the client device 150 and or network services requested.), and based on the attribute information of the client device (FIG 3 304 and associated text), provisioning one or more network resources for a data path with resource information corresponding to the attribute information of the client device (FIG 3 306 and associated text; Col 11 line 45-65; At block 306, the authentication/authorization application 110 determines that the client device 150 is a member of a group wherein all members of the group who attempt to access one or more specific network services are to be assigned the same virtual local area network tag, subnet interface configuration, and physical port designation on the access device 130 and firewall device 140.; abstract: A system is provided comprising a computer system, a configuration database, and a dynamic network interfaces application that receives a message from a network access component containing a request to authenticate a client device accessing a network service, determines that a policy requires the client device to be associated with a virtual local area network to access the network service, and authenticates the client device for association with the virtual local area network. The dynamic network interfaces application also searches the configuration database for configuration information to provision the virtual local area network, assigns the configuration information to the client device, the network access component, and a firewall component, and sends a reply containing the configuration information to the network access component and the firewall component in response to the request, wherein the configuration information comprises settings to provision the virtual local area network.), the data path being between the client device and the network (FIG 1 and associated text; Access device 130 in data path between client 150 and network 190 ). With regards to claim 20, Delker discloses, Non-transitory computer-readable storage media medium storing instructions that when executed causes processing circuitry cause one or more processors (Col 17 line 5-15; The processor 382 executes instructions, codes, computer programs, scripts which it accesses from hard disk, floppy disk, optical disk (these various disk based systems may all be considered secondary storage 384), ROM 386, RAM 388, or the network connectivity devices 392. While only one processor 392 is shown, multiple processors may be present. Thus, while instructions may be discussed as executed by a processor, the instructions may be executed simultaneously, serially, or otherwise executed by one or multiple processors. ) to: obtain attribute information of a client device associated with a network access request to access a network (FIG 3 302-304 and associated text; Col 35-50; Beginning at block 302, the authentication/authorization application 110 receives a request from the access device 130 to on behalf of a client device 150 to authenticate the client device 150 and provide it access to specific network services. At block 304, the authentication/authorization application 110 in authenticating the client device 150 examines credentials or other identifying or qualifying information provided by the client device 150 and any policies associated with the client device 150 and or network services requested.), and based on the attribute information of the client device (FIG 3 304 and associated text), provisioning one or more network resources for a data path with resource information corresponding to the attribute information of the client device (FIG 3 306 and associated text; Col 11 line 45-65; At block 306, the authentication/authorization application 110 determines that the client device 150 is a member of a group wherein all members of the group who attempt to access one or more specific network services are to be assigned the same virtual local area network tag, subnet interface configuration, and physical port designation on the access device 130 and firewall device 140.; abstract: A system is provided comprising a computer system, a configuration database, and a dynamic network interfaces application that receives a message from a network access component containing a request to authenticate a client device accessing a network service, determines that a policy requires the client device to be associated with a virtual local area network to access the network service, and authenticates the client device for association with the virtual local area network. The dynamic network interfaces application also searches the configuration database for configuration information to provision the virtual local area network, assigns the configuration information to the client device, the network access component, and a firewall component, and sends a reply containing the configuration information to the network access component and the firewall component in response to the request, wherein the configuration information comprises settings to provision the virtual local area network.), the data path being between the client device and the network (FIG 1 and associated text; Access device 130 in data path between client 150 and network 190 ). Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 2-4, 8, 10-11, 13-15, 19 are rejected under 35 U.S.C. 103 as being unpatentable over Delker et al(US 8363658 B1) in view of Satish et al(US 8190755 B1:IDS supplied). With regards to claim 2, 13 Delker in view of Satish discloses, wherein obtaining the attribute information comprises: performing a lookup of an identifier of the client device in a user directory associated with the enterprise network (Satish FIG 5 510 and associated text; ); and determining based on the lookup, the one or more attributes associated which the client device (Satish Col 5 line 20-30; In one embodiment, the NAC server 106 obtains the data to form a host fingerprint from the network address request of the host. For example, the NAC server 106 may obtain the MAC address for the requesting host from its request for a network address. Alternatively, the NAC server 106 may query the network security agent 306 in the requesting host to obtain additional data for the host fingerprint.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Delker’s method with teaching of Satish in order to provide secure access to the appropriate network (Satish, col 1 line 25-45;). Motivation would be same as stated in claim 2. With regards to claim 3, 14 Delker in view of Satish discloses, wherein the attribute information of the client device comprises a mapping of an identifier of the client device to the one or more attributes associated with the client device (Satish FIG 4 406 and associated text;). Motivation would be same as stated in claim 2. With regards to claim 4, 15 Delker in view of Satish discloses, wherein provisioning the one or more network resources associated with the client device comprises: determining at least one attribute of the one or more attributes associated with the client device based on the fingerprint information; and provisioning the one or more network resources with resource information comprising a mapping of an identifier of the client device to the at least one attribute of the client device and at least one network resource policy or feature configuration corresponding to the at least one attribute of the client device (Satish FIG 5 508, 510, 512, 514 and associated text;). Motivation would be same as stated in claim 2. With regards to claim 8, 19 Delker in view of Satish discloses, further comprising periodically updating the resource information at a network resource of the one or more network resources to remove identifiers of one or more client devices that are no longer using the network resource (Satish Col 6 line 35-45; In another embodiment, the network security agent 306 may obtain a replica of the entire table 208 from the NAC server 104, which may be periodically refreshed via configuration updates ). Motivation would be same as stated in claim 2. With regards to claim 10, Delker in view of Satish discloses, wherein an identifier of the client device comprises one or more of an Internet protocol (IP) address or a hostname (Satish col 5 line 5-35; In one aspect of the invention, before the NAC server 104 allows the DHCP server 106 to grant a network address to the requesting dynamic host, the NAC server 104 computes an indicium uniquely associated with the requesting dynamic host ("host fingerprint"). A host fingerprint includes a data item or a combination of data items associated with the requesting host or a representation of such data (e.g., a hash or encryption of such data). Such unique data may include, for example, a media access control (MAC) address associated with the requesting host (e.g., a unique address assigned to a network interface card (NIC) in the I/O interface 302).). Motivation would be same as stated in claim 2. With regards to claim 11, Delker in view of Satish discloses, wherein the one or more network resources comprise one or more of on-premises firewalls, cloud-based firewalls, switches, routers, access points, or servers (Satish col 3 line 0-10; The network 102 comprises a communication system that connects computer systems by wire, cable, fiber optic, and/or wireless links facilitated by various types of well-known network elements, such as hubs, switches, routers, and the like.). Motivation would be same as stated in claim 2. Claim(s) 5-7, 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Delker et al(US 8363658 B1) in view of Satish et al(US 8190755 B1:IDS supplied) and further Hannel et al(US 20080172366 A1). With regards to claim 5, 16 Delker in view of Satish do not but Hannel teaches, wherein determining the at least one attribute associated with the client device comprises: identifying a user group attribute associated with the client device as specified in the fingerprint information of the client device; and including the identifier of the client device in the identified user group (FIG 9 and associated text; and FIG 13A-B and associated text; [0234] In order to perform an access check, access filter 203 must determine what user groups the user making the request belongs to. The request includes an identification for the user, and the identification is the starting point for the determination. The tables in user group tables 1301 permit access filter 203 to determine from the identification what user groups the user belongs to and from those user groups, the hierarchical relations that determine the other user groups the user belongs to. Assuming that the user is identified by an IP address, access filter 203 begins by finding one or more tables of the IP Range Definition class (in 1317) which define ranges of IP addresses which include the user's IP address.). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention was made to modify Delker in view of Satish’s method with teaching of Hannel in order to control access to data (Hannel [0002]). With regards to claim 6, 17, Delker in view of Satish and Hannel teaches, wherein provisioning a network resource of the one or more network resources comprises updating an existing user group at the network resource to include the identifier of the client device, wherein the at least one network resource policy corresponds to the existing user group (FIG 8 and 9 and associated text; 124] The user groups specified in the administrative policy and policy maker policy portions of database 301 are user groups of administrators. In VPN 201, administrative authority is delegated by defining groups of administrators and the objects over which they have control in database 301. Of course, a given user may be a member of both ordinary user groups 317 and administrative user groups 319. Note: Add to Group in FIG 9). Motivation would be same as stated in claim 5, 16. With regards to claim 7, 18, Delker in view of Satish and Hannel teaches, wherein provisioning a network resource of the one or more network resource comprises provisioning the network resource with a new user group that includes the identifier of the client device and a new network resource policy corresponding to the new user group (148] What user groups a user belongs to may vary according to the mode of identification used to identify the user. Thus, if no access policies apply for the user groups that the user belongs to according to the modes of identification that the user has thus far provided to access filter 203, access filter 203 may try to obtain additional identification information and determine whether the additional identification information places the user in a user group for which there is a policy regarding the resource). Motivation would be same as stated in claim 5, 16. Allowable Subject Matter Claim 9 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 101(DP), set forth in this Office action and to include all of the limitations of the base claim and any intervening claims. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Wang et al(US 20230247021 A1) Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED WALIULLAH whose telephone number is (571)270-7987. The examiner can normally be reached 8.30 to 430 PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 1-571-272-8878. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /MOHAMMED WALIULLAH/Primary Examiner, Art Unit 2498