Windows internet validating identity
You need to distribute your RADIUS server's certificate (if it was self-signed) or the certificate of the Certificate Authority that signed it to your clients.
From a security standpoint the best option is setup a captive portal.
Students can use their BYOD devices to connect and reach the portal, pass their user authentication credentials to the portal and the portal can then talk to the RADIUS server.
Eduroam is another popular choice for educational organizations.
This only happens with the 802.1x ssid (staff) and not with the PSK ssid (for guests).
I then verified that the only way for a windows computer to connect to this is to uncheck the "verify the server's identity by validating the certificate" option while manually adding the profile. I just deployed a setup very similar to this last week, to provide Internet access to a week-long campground event.