How hard is it to allow a guest iPad to AirPlay onto a
meeting room Apple TV that’s connected to the corporate wired network? Well it’s not as easy as it sounds. In fact it is one of the most challenging problems to solve when it comes to enabling AirPlay across a corporate wireless LAN.
Let’s start with the technology behind AirPlay, namely Apple’s Bonjour protocol (Apple’s codename for zero configuration networking). Apple Bonjour is designed primarily to be used at home – where a single IP subnet is present. So it operates at Layer 2. It uses multicast DNS (or mDNS) to enable two devices to discover each other. This is where the first challenge comes into play – how are we supposed to route AirPlay from guest Wi-Fi onto the corporate wired network at L2? The question in itself is hard to comprehend. Read on, we have a solution.
When AirPrint and AirPlay are in high demand, network engineers are forced to make these services available across multiple subnets by updating the configuration of their wired network infrastructure. Traditionally, this means that the multicast DNS messages are routed across multiple subnets and visible to all Apple devices across the entire network.
This is not always the best solution– especially as the corporate network grows in size and is deployed with many Apple Bonjour capable devices. From an end user perspective, things get a little complicated, rather than simple. When the end user device starts searching for a device, end user starts seeing everything on the network – printers in another building, Apple TVs in other conference rooms – which creates confusion and is very much prone to errors.
Last year, Aruba announced AirGroup to address this specific problem. It allows end users to see AirPrint and AirPlay services across multiple IP subnets – but only if they have been explicitly designated based on policy. Here is a quick (and fun) overview of Aruba AirGroup:
I love that video, but let’s get back to the problem at hand – allowing a guest to use an Apple TV in a meeting room. Here is step-by-step on how this is handled with Aruba AirGroup. Buckle up.
- Aruba Mobility Controller discovers Apple Bonjour enabled devices on the wireless and the wired network. At this time it is required that any possible wired VLAN is made visible to the Mobility Controller in order to enable this discovery. Soon enough we want to start using Aruba Mobility Access Switches and WLAN access points to take care of this task.
- Next, guest iPad self-registers itself to the wireless network through the Aruba ClearPass Guest web authentication portal. It is recommended that guests are sponsor approved by an employee in order to ensure a secure audit trail of the event. Sponsoring employee receives an email from ClearPass Guest web server, and hits “approve” within the email body to let the guest user in the network. No IT involvement – all automated, as part of the self guest registration process.
- Now the employee knows who this guest user is – in fact, they are probably in the same meeting. Employee asks for the MAC address of the guest user’s iPad. He opens up his Aruba Workspace mobile app, selects “My Devices” and finds the meeting room Apple TV that he has access to. Adds guest iPad MAC address to the list of approved iPads that can access this specific Apple TV. Employee specifies in the Workspace mobile app that this privilege will only be available during the next two hours – for the duration of their meeting.
- This “shared ownership policy” gets pushed to Aruba ClearPass from the Workspace app. ClearPass then instructs the Aruba wireless LAN infrastructure of this change in the access policy.
- When the guest iPad requests to discover the Apple TVs available, Aruba wireless LAN queries its Apple Bonjour database (also named mDNS proxy #geekalert) and maps it to the policy information received from ClearPass. Now we have a match! While all other guest user traffic is forwarded out to the DMZ, its AirPlay session is connected to the Apple TV in the meeting room.
I don’t want to sound too narcissistic here, but a couple of remarkable things are taking place. First of all, there was no need to create an IT ticket. A guest and an employee got together, tapped a few times on their respective iPads and voila. While this is going on, the network security is still in tact – guest and employee networks are completely segregated from each other thanks to stateful context aware firewall running on the Aruba wireless LAN.
Last but not least, we have managed to connect guest wireless to corporate wireless network at L2 for Apple AirPlay – without a single change in the network hardware configuration. Here is the full step-by-step:
With the arrival of Apple Bonjour in large scale wireless LANs, I am sure there will be more use cases that we will all come across. If you have got any interesting ones to share, please feel free to leave us a comment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.