Hmm I see... If RADIUS is working, and it's a protocol compatibility/safety issue, another potential (but more complex) solution may be to add a FreeRADIUS server in-between to act as an intermediate RADIUS hop (proxy). Like this:
config/Proxy
I believe this would let you proxy an inbound auth request out to another server using a different protocol.
But back to the original problem, is there no ARP at all? If the switch kernel is trying to contact something in its local subnet you should see an ARP broadcast from anywhere on that same subnet if that IP is not already in the ARP table (which you can check). If you don't see it, check the switch logs to see if an ACL is blocking it. It may treat ICMP differently from TCP/UDP - So you can ping stuff but other protocols are blocked.
Is the firewall disabled on your linux box? Can you ping the linux box from the switch mgmt interface, but other protocols don't work?
Maybe you can import the cert another way like creating a text file with the Base64 PEM data pasted-in from the console, which would at least get you to the next step.