I run this using EAP-TLS from a Mikrotik hAPac device as wireless client with WPA2-Enterprise configured on a UBNT wifi system. It is on 6.44.3; on the hAP, choose station mode, assign the SSID, and the security profile:
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap eap-methods=eap-tls group-key-update=1h management-protection=allowed mode=dynamic-keys name=\
EAPTLS supplicant-identity=wifi tls-certificate=TIK_f999 tls-mode=verify-certificate
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac basic-rates-a/g=54Mbps channel-width=20/40/80mhz-Ceee country="united states" \
disabled=no frequency=auto frequency-mode=regulatory-domain ht-basic-mcs="" installation=indoor multicast-helper=disabled \
security-profile=EAPTLS ssid=SECRETSSID supported-rates-a/g=24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=none vlan-id=28 vlan-mode=\
use-tag wireless-protocol=802.11 wmm-support=enabled
Don't forget to load a client cert with private key and the server root so TLS can complete. The UBNT system uses Freeradius on the backend as the AAA server for authentication in this case. I haven't tried it, but looks like you could do PEAP and TTLS as well.
WinBox v6.44.3 on hAP ac (mipsbe).png
You do not have the required permissions to view the files attached to this post.