I'll preface this by saying I do not believe this to be an issue with ClearPass, but hoping someone has dealt with similar.
We're introducing an intermediate certifcate to our client certificate chain and are unable to authentication against our EAP-TLS service after installing the new client certificate. I am of the opinion that we should not have to trust each intermediate certificate and that the client is responsible for providing a sufficient chain back to our trusted CA, but I can't seem to make the client send the intermediate certifcate along during the authentication. Here's a screenshot:

Access tracker shows "EAP-TLS: fatal alert by server - unknown_ca" -- expected because we don't trust the intermediate.
I'm sideloading PCKS#12 files for testing. I've tried including the intermediate (didn't work), including intermediate and root (didn't work).
How do we force the Android to send its full chain?