Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
2
Replies

Allowing Google Chromecast in access list on WLC

Marius Gunnerud
VIP
VIP

‎04-10-2019 10:14 AM - edited ‎07-05-2021 10:14 AM

We are testing a solution that we plan on implementing at a client site.

Scenario:

The client site is a building with several tenants.  All tenants us a single SSID and are authenticated using 802.1x to ISE and ISE is configured with external RADIUS servers of the tenants.  Several of the tenants want to use Chromecast devices in their network but do not want other tenants to be able to see the devices they are using.  We have gotten everything working as expected...when the chromecast device is already connected to the wireless network. 

Once we simulate adding / onboarding a new chromecast device to the client network Chromecast complains with the error "Check Internet Connection" when connecting to the wifi network.  Once we remove the access list we applied to the SSID Chromecast is able to connect to the wireless network but but tenants are able to see eachothers devices.  When we reapply the access list everything works as expected.  I suspect that there is a call-home feature where the return traffic is being dropped, though I don't quite understand why it would be dropped as I do have a permit IP any any under the rules that deny traffic to 1918 address space.

 

Has anyone attempted a similar setup and got it working?

 

IP addresses:

Chromecast-Test-1 subnet - 10.172.20.0/24

Chromecast-Test-2 subnet - 10.172.30.0/24

LAN-Test subnet - 10.172.10.0/24

 

Access-list

Source                     Destination                Protocol             Source Port               Destination Port             Action       

any                       |    any                     |      UDP         |          any              |             dns             |              Permit

any                       |    any                     |      UDP         |          dns              |             any             |              Permit

any                       |    any                     |      UDP         |          any              |             bootpc        |              Permit

any                       |    any                     |      UDP         |           bootpc        |             any             |              Permit

10.172.10.0/24    |    10.172.20.0/24  |      any           |          any              |             any             |              Permit

10.172.20.0/24    |    any                     |      any           |          any              |             any             |              Permit       

10.172.30.0/24    |    10.172.20.0/24  |      any           |          any              |             any             |              Deny

10.0.0.0/8            |    any                     |      any           |          any              |             any             |              Deny         

172.16.0.0/12      |    any                     |      any           |          any              |             any             |              Deny         

192.168.0.0/16    |    any                     |      any           |          any              |             any             |              Deny         

any                       |    any                     |      any           |          any              |             any             |              Permit       

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
2 Replies 2

pieterh
VIP
VIP

‎04-12-2019 07:37 AM

try adding bootps in addition to bootpc to the access list

0 Helpful

Marius Gunnerud
VIP
VIP
In response to pieterh

‎04-14-2019 11:05 PM

Well, we figured it out...eventually.

 

The actual registration of the device needs to be done on the same network as the chromecast device.  So, if you are using an iPad to connect the Chromecast device, the iPad and the Chromecast device need to be on the same network / SSID.  Once the Chromecast device is registered we were able to cast from 10.172.10.0/24 to 10.172.20.0/24.

 

Another issue we saw is that even though both devices were connected to the same SSID we still needed to allow traffic in the ACL between devices on the same network.  We needed to add an ACL entry as follows:

Permit IP from source 10.172.20.0/24 to destination 10.172.20.0/24.

Without this statement, the iPad was not able to communicate with the Chromecast device.

 

We also, had a misconfiguration in our existing ACL which had the direction of the ACL set to "any" we had to change this to "inbound".

 

We are now able to have several tenants passing through the same AP and WLC and not have them see or be able to cast to each others devices.  These tenants can also be connected to the same SSID or different SSIDs, same APs or different APs.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card