I have been testing the RADIUS server further using eapol_test (found in wpa_supplicant). The SSL certificate chain sent by RADIUS is now correct:
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
/OU=Domain Control Validated/OU=PositiveSSL/CN=[RADIUS_FQDN]
If I run eapol_test with server certificate validation, I can only get a successful run if I do it against AddTrust External CA Root (saved in a local .crt file). If I try to validate using any of the Comodo certificates, the process fails. So, some conclusions:
1. You were right in that I didn't have the complete chain
2. Once the complete chain is available and confirmed supplied correctly by RADIUS, the RB
still refuses to connect (unknown ca)
3. If the AddTrust External CA Root certificate is installed in the RB, the process completes fine.
I'd still like to know how (or if) it's possible to get the RB to accept a server certificate without having to pre-install it (without using skip certificate validation of course!)