You should make a second policy and add the Domain Users group. If you ever add policies in the future, you'll probably want them above Domain Users since all users tend to be in that group and it will trump the others if its at the top.
More details on configuration:
You should have a connection request policy for each 802.1x authenticator type (controller, IAP, switch).
In that connection request policy, you should add conditions that are unique to those devices such as NAS IP or NAS Identifier (both are sent by the authenticator device).
When you set the EAP type in the Connection Request Policy and click the override network policy authentication settings checkbox, this EAP type will trump those set in individual network policies (where you will classify users by group). I would suggest doing this as it will make configuration a bit quicker (you don't have to set it on each individual policy).
For EAP type, select Microsoft: Protected EAP (PEAP) and then select your cert from the drop down.
Now you can go into the Network Policies and create conditions based on groups. (You can create a single policy with multiple groups, but it is generally easier to do individual ones for troubleshooting / deciphering logs).
For example:
Policy 1: IT Staff
Conditions > User Groups = DOMAIN\Domain Admins
Settings > RADIUS Attributes > Standard > Filter-id = itstaff
Policy 2: All Domain Users
Conditions > User Groups = DOMAIN\Domain Users
(it will default to allow access if nothing else is set)