CarbonPepper wrote
With the OC200, the only option seems to be to set a SSID as having a guest status, which isolates all devices. The prevents a guest phone from reaching the guest chromecast.
Unfortunately, the common »Client Isolation« setting (falsely called »SSID Isolation« in older Omada Controllers < V3.x) has been transformed into »Guest Network« setting, which not only turns on »Client Isolation« in the WiFi chip, but also installs an invisible access control rule (ACL) blocking private IPs.
This option has been introduced to allow for a »single click« easy guest network setup without the need to configure a separate, isolated guest network on the router.
However, for your use case you need a separate guest network so you can isolate it from the LAN and you want to turn of »Guest Network«, so clients associated to the same SSID/radio can access each other. You then could define an ACL on OC200 or use firewall rules on your router to block traffic into the LAN while allowing traffic inside the guest network, thus allowing clients to access each other using even different EAPs.
A common way to set up such a topology is using a VLAN-aware router, since you need VLAN-mapped SSIDs for the LAN and guest network if you want to serve both networks wirelessly. See this HowTo (scroll down to the section named »Method 2«) for an example of setting up a LAN and a guest network using VLANs. Ignore the part which enables »Guest Network«.