Hi there. I would highly recommend checking out the Lab Minutes videos with ACS. You will find detailed videos on how to deploy EAP-TLS with Cisco's ACS:
http://www.labminutes.com/video/sec/ACS
However, it should be noted that the customer will need to have a PKI/CA stood up for this to be possible. This can either be an internal one (for example Microsoft Certificate Authority) or an external one (for example Symantec Certificate Authority).
Once they have the CA up and running then they will have to actively be pushing certificates to the endpoints that will be connecting to the EAP-TLS protected WiFi.
I hope this helps!
Thank you for rating helpful posts!