If you’re simply looking for a tutorial on how to connect your device to the network securely, go to the Tutorials section.

Why this article?

Android recently got an update which prevents you from connecting insecurely to WPA Enterprise networks. The IT staff for SRVUSD firmly insisted that it is now simply impossible to connect an Android phone to the SRVUSD-BYOD network.

I didn’t believe them, so I brought my laptop to school, used Wireshark to dump the WPA handshake, and found the certificate information that is needed to connect securely.

I am writing this tutorial because the district’s own IT staff can’t help students figure this out, so hopefully I can.

Network info

The network uses WPA Enterprise with WPA-PEAP and MSCHAPv2 for authentication. The root CA certificate is provided in the Certificates section.

Connection details

NameValue
Security modeWPA/WPA2 Enterprise
AuthenticationProtected EAP (PEAP)
CA certificatesee Certificates section
Domainsrvusd.k12.ca.us (or possibly RADIUS-DC2.srvusd.k12.ca.us)
Inner (Phase 2) AuthenticationMSCHAPv2
Identity (username)STUDENTS\######, where ###### is your student ID number
PasswordYour district password

Tutorials

The tutorials provided here detail how to connect to the SRVUSD-BYOD network securely (i.e. with certificate verification). There are also ways to connect insecurely (i.e. without certificate verification), but that’s insecure, so you shouldn’t do that.

Tutorials are provided for the following OSes:

Android

Note: the steps below are for stock Android. If your phone uses modified Android (like some Samsung phones), the exact steps may differ. The general process will stay consistent, though.

The process to connect on Android consists of two main steps: (1) install the SRVUSD Root CA certificate, and (2) configure the network.

1. Install the certificate

Important note: This only installs the SRVUSD Root CA certificate for verifying Wi-Fi networks. It cannot verify websites, so it does not compromise the security of your device.

  1. First, download the SRVUSD Root CA Certificate. Make sure the file ends with .crt or .cer. Android might not recognize it otherwise.
    (If you don’t trust me, download and extract the certificate from srvusd.net/pki)

  2. Navigate to Wi-Fi Preferences. This can be found in Settings > Network & internet > Wi-Fi > Wi-Fi Preferences.

  3. Select Advanced > Install certificates.

  4. Select the certificate file. You can name it whatever you want. I simply named it SRVUSD-RootCA.

2. Configure the Wi-Fi network

  1. Go back to the Wi-Fi settings and select the SRVUSD-BYOD network.
    (Or add a network with the SSID SRVUSD-BYOD and select WPA/WPA2/WPA3-Enterprise security.)

  2. Enter the details accordingly:

Field nameValue
EAP methodPEAP
Phase 2 authenticationMSCHAPV2
CA certificateSelect the name of the certificate you just installed
Online Certificate StatusEither “Do not validate” or “Request certificate status”
Domainsrvusd.k12.ca.us
Identitystudents\######, where ###### is your student ID number
Anonymous identityLeave blank
PasswordYour district login password
  1. Press Save (obviously)

Linux (with NetworkManager)

If using the GUI connection editor (nm-connection-editor), add a new Wi-Fi network and fill out the fields with the information provided above. See the screenshots below for details.

Instead of using the GUI connection manager, you can use the connection file provided below.

For the CA certificate, download (or create) the certificate file. Then select that file as the CA certificate in the connection editor, or provide the path in the connection configuration file.

Configuration file

Note: lines that are not relevant to the network but are still recommended (e.g. security/privacy settings) are commented out.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

## /etc/NetworkManager/system-connections/SRVUSD-BYOD.nmconnection

[connection]
id=SRVUSD-BYOD
type=wifi

[wifi]
mode=infrastructure
ssid=SRVUSD-BYOD

# Randomize MAC address (limits device tracking)
#cloned-mac-address=random

[wifi-security]
key-mgmt=wpa-eap

[802-1x]
ca-cert=<path to SRVUSD CA certificate>
domain-suffix-match=RADIUS-DC2.srvusd.k12.ca.us

eap=peap;
phase2-auth=mschapv2

identity=students\\######
# Password flags:
#   1 - Save password in user agent (not system-wide)
password-flags=1

[ipv4]
method=auto

[ipv6]
method=auto
#addr-gen-mode=stable-privacy

Screenshots

Wi-Fi network settings
Wi-Fi Security network settings

Certificates

Below are the three PEM-encoded X.509 certificates in the trust chain for the SRVUSD-BYOD network.

Note: the URLs provided in the certificates (e.g. CRL distribution points) no longer exist. Thus you should not enable CRL or OCSP checking when using these certificates.

AP Certificate

Download

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

-----BEGIN CERTIFICATE-----
MIIH1jCCBb6gAwIBAgITJAAAFvMIp6Ewf9S3EgABAAAW8zANBgkqhkiG9w0BAQwF
ADBpMRIwEAYKCZImiZPyLGQBGRYCdXMxEjAQBgoJkiaJk/IsZAEZFgJjYTETMBEG
CgmSJomT8ixkARkWA2sxMjEWMBQGCgmSJomT8ixkARkWBnNydnVzZDESMBAGA1UE
AxMJU1JWVVNELUNBMB4XDTIxMDcwMTAzMDY1M1oXDTIyMDcwMTAzMDY1M1owJjEk
MCIGA1UEAxMbUkFESVVTLURDMi5zcnZ1c2QuazEyLmNhLnVzMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEApJFZqHoMjLlCLtyjuSetJxHp1+Sh9AsnJWUj
01E3K89cwxJqZuYFh4F1uhrHOUc9rtaL0Bmb0UZIB4ATXYE9zlZ6ZbRXO0FJzt5D
RcpGgQKcShMXgfkvjjLj8q0QEkpuwQXK30axKwxswCnaEYpCRrZn0+iIXmCdutBo
swTlkknqCA7PF+S22cF/xCDXQFAxQJSj/RNcwvRWeewRdFW7ZSwmlSDrvgbKvAAc
LamY93EC8KdxGhgAmvwSVmrnSfVuCr60tFXZ9a249jGKzdD1UvCrXd7aAAt07g31
PgTALrqPpY4I1AKbUxaEhc0xuazmTeE3n0raZyPM1p/r5TC6EQIDAQABo4IDuDCC
A7QwLwYJKwYBBAGCNxQCBCIeIABEAG8AbQBhAGkAbgBDAG8AbgB0AHIAbwBsAGwA
ZQByMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMC
BaAweAYJKoZIhvcNAQkPBGswaTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQC
AgCAMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCG
SAFlAwQBBTAHBgUrDgMCBzAKBggqhkiG9w0DBzBHBgNVHREEQDA+oB8GCSsGAQQB
gjcZAaASBBBbGa4ZW4vVRLf8skDUpsiZghtSQURJVVMtREMyLnNydnVzZC5rMTIu
Y2EudXMwHQYDVR0OBBYEFJjcGBkqmPJzCtWot4gw7zfxiGGiMB8GA1UdIwQYMBaA
FLuk9Oi5ZD92Dl0Jx3Yf7eq7nbW4MIIBGwYDVR0fBIIBEjCCAQ4wggEKoIIBBqCC
AQKGgcBsZGFwOi8vL0NOPVNSVlVTRC1DQSgxKSxDTj1TUlZVU0QtQ0EsQ049Q0RQ
LENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZp
Z3VyYXRpb24sREM9c3J2dXNkLERDPWsxMixEQz1jYSxEQz11cz9jZXJ0aWZpY2F0
ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9u
UG9pbnSGPWh0dHA6Ly9zcnZ1c2QtY2Euc3J2dXNkLmsxMi5jYS51cy9DZXJ0RW5y
b2xsL1NSVlVTRC1DQSgxKS5jcmwwggEuBggrBgEFBQcBAQSCASAwggEcMIGzBggr
BgEFBQcwAoaBpmxkYXA6Ly8vQ049U1JWVVNELUNBLENOPUFJQSxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PXNydnVzZCxEQz1rMTIsREM9Y2EsREM9dXM/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwZAYIKwYBBQUHMAKGWGh0
dHA6Ly9TUlZVU0QtQ0Euc3J2dXNkLmsxMi5jYS51cy9DZXJ0RW5yb2xsL1NSVlVT
RC1DQS5zcnZ1c2QuazEyLmNhLnVzX1NSVlVTRC1DQSgxKS5jcnQwDQYJKoZIhvcN
AQEMBQADggIBADrWg4tJmg7rXu4B6TE7ZrkO8d/wfl1ZsPhVfWJ0oPkOuY7inMS1
3yYENdIngOtByDVhN+ChZieXjBfgyJwmzI+v9Z+zAXtDKl9VvdN/32UDtuKYs6KA
n+GD2IeN2Z5ee+u3kjl6VZsHXN7EHVdIAKMEalzxMc+yuHv/7uhCb6LIKuXfX2bX
JZV54h8waVUmfygOuMLYTM/wdAdi1rxYUuQOXzDUOeYdtzQSGK3Nnpe0XBBILO/Z
xJAitpTXYVOaPVaDYLpV0sL9Zf85RKWiRRRHMhaEi96bw46lNTfjK72YoR/c70qA
kNMLAjuJX53D3qs2TuepxK4kr6HrFk+c4jZSe0P9eNswujNVpGK63Y0tOtrmZDPa
kd+cli0Ifu/8XsaD1Zv+g0qQh/w+35HNTzJidXim6d9kKotSpzqicHldtVo3wkR5
QJvENa6Y81t5vrwpg6yt8OTQxO2g0gUDYc5FQp1zqVKOwt5TeawLc4hJ1PnnCQhY
se2ip7eiGxWvpAzBp8Mf/jCh2O8t0NvFk2S73964DCqZBa+NvPY1sZDOp24AUQLj
PtYGfOFLIeVtW3v7jQSF2hk6TkfyXSs6jvwys2Zrijv/JnOSq16Px/SHXRmkFFSv
MEkoGunDbbqldn/x3yHEak+3fXSqq0noYs8jkoE55BvoVlxdD1z/kBFs
-----END CERTIFICATE-----

Intermediate certificate

Download

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

-----BEGIN CERTIFICATE-----
MIIGTzCCBDegAwIBAgITEgAAAAKWpGDvrXNRKwAAAAAAAjANBgkqhkiG9w0BAQwF
ADAYMRYwFAYDVQQDEw1TUlZVU0QtUm9vdENBMB4XDTE1MDczMTA1MzEzOFoXDTMw
MDczMTA1NDEzOFowaTESMBAGCgmSJomT8ixkARkWAnVzMRIwEAYKCZImiZPyLGQB
GRYCY2ExEzARBgoJkiaJk/IsZAEZFgNrMTIxFjAUBgoJkiaJk/IsZAEZFgZzcnZ1
c2QxEjAQBgNVBAMTCVNSVlVTRC1DQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAKSeoQ3UXP+R+DXWbMgR51dyEuL6H5HxOOrEn1Nz2tgWy/cPCvcA3U9W
4nZbXO9yZZmXc2EJSz9TPg7Bqd09IBOK+27eNqLdMCp2etHGVAPQc+RlVdOjflZu
UuYq38yruUKNzeDd2K/ebAgldkL37MvFQaLIR97hIzK4uou2IBcqfMV8Z6A5AFy0
tUn8Ed9cR2HDP2k65/KphD+N9SzmfsTkk+h2MyoBgmdeiTFMCBJzk5BadQVCoukM
QS4+Y+OxllocdzbTyHZBZrPj+fhGxei7nf0pmkbSSeDQe4PbbgYEqy01c2yF6rhl
zVN5V/hxwv/c1GKFpBztkLgq+jcwxcJV5tGYmF5hB5dw2/B9tUs16JVLcCQKtyqb
dKVaUY34WYWS1rq/E6O6XELonbGI32YXEschvki0hOU4GvXqkJEqsaKM8Cqn8dUy
vibNALcpR9VZe6Sdux7St6Q9ADtUCqV8fIw5HZ1VxAWfqrqwA7HjFMlG3zlmtO/j
3ovL3mvC8e8l17s8w7pwS+1cfJbOLpOKNoiYQLhs4aUnvNpsG2uYX/abx9qKyAxB
/coTltdsKvfQ7bmRMyQOVGsZGRSmPK6p1rfIRSOIdaOUReDaxHK28usymC7iANhs
zWPbTyy6K72JOKgTzP38hSLJw4ix1j7wbRampbQK3IeiX1XeT8nRAgMBAAGjggE/
MIIBOzASBgkrBgEEAYI3FQEEBQIDAQABMCMGCSsGAQQBgjcVAgQWBBSshDmlWMIP
xq/UoEHd3MoVeMtnZTAdBgNVHQ4EFgQUu6T06LlkP3YOXQnHdh/t6rudtbgwGQYJ
KwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHwYDVR0jBBgwFoAUFHCv83URY2wwNORb8l6d4TDEahswPQYDVR0fBDYw
NDAyoDCgLoYsaHR0cDovL3BraS5zcnZ1c2QubmV0L2NybHMvU1JWVVNELVJvb3RD
QS5jcmwwSAYIKwYBBQUHAQEEPDA6MDgGCCsGAQUFBzAChixodHRwOi8vcGtpLnNy
dnVzZC5uZXQvYWlhcy9TUlZVU0QtUm9vdENBLmNydDANBgkqhkiG9w0BAQwFAAOC
AgEAc8AzFPNRLKN+xdtpKmTxZRTh8bUiuHHXYeuKeeZgAVqvpm1BY068KU6YjQbz
e6jOxqGe/81BPY8ZcXY6Ba3nyXrRtwJcY5VwrsL+GLu1fq1b6opnygX6s5AhWa4i
XQDzJszkjAV18yoA4bAtllnz0ZxnqGAZ2lqS/FrlCtOHlWaWciHzALN9BUYe4+XD
DK++qU68VF3Vop0oAgzpUQ/+eVtMu+qIJqtcUXHKNlInz5v/OfXiTwiSf/uzWVEk
U/deufDS/nWUeo52S2ZlY5ZG635Do4bA3CLFwMzBLecZznAncYUcFVlIty3z8BM0
mZ7Gf1zm6wm5fXT6sNjq7qLYTMDttyIJkA8aSA/QppzOeA41HgXmHRFOLFyJwWoM
JOYlm8g8PigGKU6sPoX7mWoEosxNjZ6R4o+zmEimAZjBz1DHpwKBsjmBuum03+1D
IrwZIAIkutM3wScCOhmMd0F1gZ5DSahsTMsUsxtncOar5cT3GSbE3YkmVahwucsw
E8UTDpV9EOThH94EpmKWLe27s5IWXo0oeWJj5BDX2RpaWczmKquH4mng49ahw+/P
K13rwTMSZvcbq4CgKEfKOPDGsCbTO1V+xf5Y4Hh60NfB8/CFS67tZjae3L4ejO9S
1mLiYmxJVcPgI95REWoD/x9q27toBb1IAsjBfHEYZErYGmA=
-----END CERTIFICATE-----

SRVUSD Root CA Certificate

Download

Also available at https://www.srvusd.net/PKI.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

-----BEGIN CERTIFICATE-----
MIIFjjCCA3agAwIBAgIQegjDAjn44b9NqFSCwXI5LzANBgkqhkiG9w0BAQwFADAY
MRYwFAYDVQQDEw1TUlZVU0QtUm9vdENBMB4XDTE1MDczMTA1MTcyMFoXDTQ1MDcz
MTA1MjcxOFowGDEWMBQGA1UEAxMNU1JWVVNELVJvb3RDQTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAI3y3w8PvFBM5qM7wsiU+/d3kDx6Ibv3VmWP38D/
Z8mTY3ylwLD/Z165142yRZyqlusr4wq7n+9UURXXfisArEv+sVJ9C73n0vJWZLRC
BrOXgdq3cO72bQWaispj5I1q8I4FV8+B+rgKgx40/sYzf988tW9n4jbgXU7E+h6f
Bi2JPQs1XJyqh4s/9+lynnsa7PEbHTqsAqOtw0RGn6oNpWotq97wmNaQNekk7qXp
TtBqu5TrMU2hzEMj2a8MIFXRzWM8FkN17yFcss5r6WQ0rfeqfQOid4/paJSt+6kv
hvgSWpKWDaQ8cOgNxzC8pc8Q/rKDDjdgVDKERF3YCNGSXDOHttDD4r2GkcEQJGmi
0KocDVeYbP80FvlDUIX86T9uCdkfYTw9uExXqF7FMBJdRoTjcLKfQWsfD89OQRGD
Z/Dt++hYmLQPAoAA2sQ5q3RsW79SO79Xy3dU7+ybdmFrKOa0qD3CkXm9/Ke3DN/L
7eVEQGSpqAGj9t0K18pA92jX9wYOaNSJmU6zoSXyMUM5EBT/pqxRaO/eGCb5KI6n
1Cx9JJb8EM7aZRds8ujMuap+VTdGS3DF3xFPzjBl9cuDSCiiIpbQmusQM6/qjWD+
ZCjXbWOV8rG9BhUw6SSju2i9fgLPbs/HwtzEzxebs/gv95GYNURbrZfLPfCI37pV
jFhvAgMBAAGjgdMwgdAwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFBRwr/N1EWNsMDTkW/JeneEwxGobMBAGCSsGAQQBgjcVAQQDAgEAMH8G
A1UdIAR4MHYwdAYIKgMEiy9DWQUwaDA6BggrBgEFBQcCAjAuHiwATABlAGcAYQBs
ACAAUABvAGwAaQBjAHkAIABTAHQAYQB0AGUAbQBlAG4AdDAqBggrBgEFBQcCARYe
aHR0cDovL3BraS5zcnZ1c2QubmV0L2Nwcy50eHQAMA0GCSqGSIb3DQEBDAUAA4IC
AQBe2wo0tRfnNaf3mnk5stxb8iQouaEmhS7AkbCcNOVLsIPT9HTxneCvuuuT5g2C
iovDI1Mz4xmGh+6QhMCFwPTKq+cx0cmPYIi5DW/H+oaXA1QE0oL6fCa4eLl5Ht8Z
X7+Vm2hIetrWJar36M/Mko4t8CYoD5DkVEExduLNC2362I5ZLkZBydhnUZ5S2bJN
tuqJ8Cm39GKr8OfO2slZDOsO4/meM420EG5m03pG2gfzDMGlSCvdmwN3J10JIkHP
Xcss5ikY4yLrRkrXibJuMtgjp7Bmq/PW4F1DlpHZTqWNjxkME2xwds34KlIYPd/4
QO/gkgaZS6g/bWZA8Z/xATJC/rtP8/9GLnYxWrEJ06FmAJfXjE4Nh71d2K6fHI65
H1shix5gWAFZGXhOjDay2aVR71SlCsP4R/HGcl2YELc+13W5wKUpJYwlkezOUiT7
lkQac5FdfPr7nvPgsTLrACvnynSTeoDyDson7CidN9V/0mqgtdapKHXx0Hmai6LI
TtHOVdXsnpZZLSoQ65USnG+R7NWZfS1rvYgQYycWfZ9kJZ7Orn+DQ1lErska6uSk
H6s9RFolXVkzo7qCVLbscj8WLS6uB9VgcX8C7drW7gnTEvVslw6jbQyD13iwqnJI
MqLQvYtvk+u+I4WZLcLDia6bsdnSYI5l0QeBhYIimWELIg==
-----END CERTIFICATE-----