Yes, by default certbot will generate a new private key each time. Changing keys is a good idea, usually we don’t change keys often because it’s easier not to, but with a fully automated setup we might as well change keys every time.
Yes, if you generate your own CSRs, or if you used a client which lets you choose not to generate a new key, you can stick with the old one, and it isn’t necessarily unsafe, although the fresh key would always be safer all things being equal. Because the keys are in pairs, with each private key necessarily corresponding to one public key, Let’s Encrypt would be able to choose to detect key re-use and reject it if they wanted to even though they never know what your private key is - but they do not do this.
For your RADIUS setup I would consider whether you have a secure way to push the private keys out to the servers. If so, I would suggest allowing the keys to change and be updated periodically along with the certificate just because it’s simpler. If delivering new keys securely will be difficult, you might consider using a CSR to force the keys to stay the same for a longer period so that you only have to transport certificates (which are harmless if stolen, though they do need to be delivered intact)