It's not a recommended configuration to have a external root CA sign your RADIUS server's certificate.
This is from the Free RADIUS documentation but I expect it is equal valid for the Microsoft implementation: In general, you should use self-signed certificates for 802.1x (EAP) authentication.
If you do go this route, make sure you document for CYA purposes.
From a security standpoint the best option is setup a captive portal.
Then my Windows 10 laptop could not connect (both have connected before).
Only clients that have not disconnect from the network were still able to access it.
You need to distribute your RADIUS server's certificate (if it was self-signed) or the certificate of the Certificate Authority that signed it to your clients.
AS you PC is XP Home - it isn't joined to the domain - and thus you won't automatically get the certificate.
YOu could either uncheck Validate Server Certificate to avoid this, or you could export your AD Root certificate from a server or domain joined computer (in Certificates snap-in - Trusted Root Certification Authority - right click - export), and then in you computer - Certificates snap-in - trusted root certification authority - right click and import.
I am trying to sign on to an existing internet connection from my XP.
This is the first time I have tried to attach to this internet connection from this laptop.
It is a secure network but I was never asked for the ID info.