“Сертификат не ошибка, которой доверяют”, для eap-tls

The easiest way to verify the certificate, without getting sidetracked by other Radius problems, is to use openssl s_client.

Here's an example invocations:

openssl s_client -connect authserver.example.com:port -cert /path/to/clientcert.pem -CAPath /path/to/CAcerts/

In this case, it's likely that you've not included the CA certificate for the client, the server, or both. If the server and client don't know where to find them, they can't verify the certificates issued by that CA.