This feature provides an efficient and secure WiFi onboarding process by automatically categorizing users and tailoring network access based on their email domain. It enhances security through domain-based access restrictions and ensures mandatory email verification, offering a robust and effective onboarding solution.
Enabling and Configuring Domain-based Onboarding
You can enable this feature by clicking on Guest Wi-Fi → Setup → Login Profiles, then select your template. In the Advanced tab of your login profile, you will find the dedicated section: "DOMAIN BASED ONBOARDING - Applies only to users whose email domain is configured in this section".
To activate DBO: Add at least one domain. Once a domain is added, this section allows you to define associations between users' email domains and destination groups.
The core DBO functionality (domain validation, access restrictions, temporary access) is always available. However, the ability to associate domains with a "Destination Group" is contingent upon the 'User Groups' feature being enabled for the account.
- If the 'User Groups' feature is enabled for the account: The "Destination Group" field/column will be visible and configurable, allowing you to map domains to specific groups.
- If the 'User Groups' feature is disabled for the account: The "Destination Group" mapping is not available.
To add a mapping, click the "Add new domain" link.
- Domain: Enter the email domain (e.g.,
yourcompany.com,collaborators.net); domain matching is case-insensitive. - Destination Group: Select an existing group from the dropdown list. This is the group to which the user's current assignment will be updated upon successful domain validation.
- "keep group assigned by rules" Option: This option is available in the dropdown menu. If selected, it indicates that, upon successful domain validation, the user's group will not be modified by the DBO, maintaining the group assigned by initial signup rules.
- "Allow access to listed domains only":
- Yes: Only users with domains configured in this section will have WiFi network access. Other domains will be blocked.
- No: Users with configured domains will follow the DBO flow. Users with unconfigured domains will fall back to the standard Login Profile flow (if configured).
- "Network Access Allowance":
- Give temporary access to check email: After entering their email, the user receives temporary network access (e.g., 5 minutes) to allow them to check their validation email.
- Don't give temporary access to check email: The user receives no network access until email validation is completed.
User experience
When DBO is active, the Captive Portal dynamically adapts to the user's input. The email field becomes mandatory, and other validation fields (e.g., phone, sponsor) will be bypassed or their input will become optional based on the user's email domain.
During the first access, the Splash Page asks for the email address of the end-user. The system evaluates the entered email's domain and adapts the experience in real-time.
There are three possible scenarios based on the domain:
- If the domain matches a DBO mapping (e.g.,
yourcompany.com):- The DBO flow takes precedence.
- Fields whose validation is no longer required (e.g., Phone, Sponsor) will be bypassed.
- The user will proceed to the DBO email validation flow.
- A verification email with a link will be sent.
- If configured, the user might receive temporary access to check this email.
- Upon clicking the link, the user's group will be updated to the configured "Destination Group".
- Concurrently, the internet plan associated with this new group will be explicitly assigned to the user's profile, and previous plans will be invalidated.
- Note: If the user is online at the time of this update, they will continue to navigate with the old plan until their session ends or they re-login, due to RADIUS system limitations.
- Finally, the user will gain full, permanent network access with the policies inherited from their newly assigned Destination Group.
- If the domain does NOT match (and access is not strictly limited):
- The user will be redirected to the standard Login Profile flow, where other configured validation options (phone, sponsor, etc.) will be applied normally.
- If the domain is NOT authorized ("Allow access to listed domains only" = Yes):
- Access will be denied with a clear error message (e.g., "Your email domain is not authorized").