First, figure out which EAP type you plan to support - EAP-TTLS, EAP-PEAPv0 or EAP-TLS (client and server certificates).
If username/password based access is required, then PEAP or TTLS should be used. Enable those in the Radius server settings.
> Do I have a make these changes on EVERY laptop
Yes.
For XP, the profile must be configured either manually or via group policy. Make sure you start with SP3 if possible to get WPA2 support and the latest XP wireless support. The profile should be set to PEAP or EAP-TTLS. If you chose EAP-TLS it just won't work without a PKI style backend that delivers certificates to clients.
For these EAP types you will need a certificate on the Radius server (to encrypt communications before credentials are tested), so that may need to be installed on your controller too.
> when I tried to connect to the VSC using an Android TAB, it asked me straight away for the username and password, and connected straight after.
Probably determines the security mode from the management frames, or maybe it by default uses PEAP.
This is just a few starter hints, enterprise wireless can get pretty involved.
Regards,
Steve.