UPDATE: I played around a little more and tried using a Radius testing tool on my laptop - I entered the RADIUS server, shared key, etc, and it successfully contacted the server and returned "Assess-Accept", meaning it was accepted. This means I'm almost there, but also it looks like it's not using certificates, just the username and password I supplied. I selected my CA certificate and Server Certificate in pfSense, but it's like it's ignoring it and allowed the connect anyway.
So I set up FreeRADIUS on our pfSense instance with EAP-TLS - I'd like users to authenticate via Active Directory (LDAP) and a certificate that I will manually install on our authorized devices.
I've gotten as far as configuring FreeRADIUS, pointing our APs to it, and creating a Server Certificate for our FreeRADIUS Server and of course I have the CA Certificate...