Product and Software: This article applies to ArubaOS 3.x and later.
Sometimes when we test BlackBerry with 802.1x authentication, it works well without EAP termination. However, when we turn on EAP termination, the BlackBerry can no longer connect to the SSID even though the Window clients are still working.
One difference exists between the Windows client and most BlackBerry phones. Windows Zero Config or Odyssey client has a button called Validate Server Certificate, which is not available on the BlackBerry. That means the BlackBerry always validates the server certificate when it does the authentication against a RADIUS server.
When EAP termination is disabled, the BlackBerry must load the RADIUS server CA first. When we enable EAP termination, EAP exchanges happen between the BlackBerry and the controller instead of with the RADIUS server. In this case, we have to load the controller's CA first, otherwise the BlackBerry fails the validation of the server certificate and is not able to connect.
However, if our Windows clients still work without reinstalling any certificate after enabling EAP termination, it is most likely because the Windows client has Validate Server Certificate disabled.
In recent BlackBerry phones, the option "Disable server certification" can be used to overcome this issue. In older phones where this option is not available, a CA certificate on the server is mandatory.