Hospitality Chromecast - Room Isolation

Deviant
Here to help

Hospitality Chromecast - Room Isolation

Good Day

 

I have an interesting use case that I just cant get my head around.

We have a customer that wants to have chromecast ability in each room, but also ensuring that each room can only cast to the room the client is connected to.

 

So the setup is at the ICT Room we have 3x MS410-16 stacked switches to multiple buildings and rooms.

There are 9 Villas and 2 Rooms per Villa. Each Room has Fiber Optic cable back to the ICT Room full Star Topology.

Each room has MS225-24 (due to many UTP requirements as well as SFP requirements), also an MR33.

 

So the requirement for Roaming is clear, they want seamless roaming without loss of connectivity across the premises, therefore I have a single guest VLAN which I bridge to a Guest SSID.

 

Now comes the challenge of how do I let a Guest be one one VLAN and only see their room Chromecast when they are in their room.

 

The first thing that was on the cards was Port Isolation on the MS410 switches, but this does wont work across stacked switches so that option is out. Then I thought of looking into the access control on the SSID and trying to isolate Layer 2 traffic or deny LAN traffic thinking that only AP Clients will be able to get to AP Clients. Tested and when I enable Layer 2 traffic isolation or deny Layer 3 lan traffic I lose comms to even my local clients on same AP. So would something like Bonjour forwarding work for this use case, the problem still is how to isolate the various rooms from each other. Another option might be to have an ACL deny traffic on the MS410 switches, but then I would have to split the network on the cloud since the ACL's is network wide not switch specific which also does not seem ideal.

 

A perfect example of what I need is something like Private VLAN's.

 

Not quite sure how to meet both requirements of Roaming as well as Chromecast room isolation.

 

Anyone has some advise?

7 Replies 7
Adam
Kind of a big deal

We had a similar deployment/issue.  Unfortunately, the chromecast devices don't have the ability to set a passcode or other security measure.  They are pretty much insecure open devices.  So the only option is to isolate via vlan or to just name them and trust that people will cast to the correct device(s). 

 

In some of our conference rooms we use this solution for a more secure option.  It's a lot more expensive but may be of interest depending on your application  https://www.barco.com/en/product/clickshare-cs-100

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
EClap5
Getting noticed

@Adam+1 for Barco.  We utilize Barco in our conference rooms as well and by default Air Marshal leaves them alone.

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm think I wuld use a VLAN per room, and then I would use layer 3 roaming.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Layer_3_Roaming

 

Layer 3 roaming guarantees you will always be connected to the first VLAN you attached to - even if you roam to another access point.

Deviant
Here to help

Thanks for the response.

First problem is there is no MX appliance so we cant do that.

Even if there was an MX appliance, how would you know Guest A is in Room A for example, would the guest not just authenticate to the WLAN depending on when he/she feels like it and then just roam accordingly. What if the device then dis-associates and associates again to a wrong room. Walk around to their own room and roam in the wrong VLAN?

 

Not sure this would work.

aalex01
Conversationalist

Hoist group Chromecast proxy offer this feature, There's a pairing step to allow access only for the room where Chromecast is

 

Alexandre.

DHAnderson
Head in the Cloud

You might be able to use Group Policies and RADIUS to solve this issue.

On your RADIUS server, you would create a user and password for each room. These would be the credentials that guests will sign into a particular Room. Configure your RADIUS server to pass a room name along as a parameter

In Meraki, create a Group Policy for each room, naming the group policy the same name that the RADIUS server will send. Assign the VLAN ID in the group policy.

Setup the WiFi SSID for guests to use your RADIUS authentication and layer 3 roaming.

In each room, have the Chromecast use the room credentials for the WiFi. Guests get the room credentials so too they can sign into the WiFi.

In this senerio, guests sign into the WiFi from any access points, can roam between any access points and be tied to a particular policy and VLAN and Chromecast.
Dave Anderson
jdsilva
Kind of a big deal

Get notified when there are additional replies to this discussion.