Not trying to oversimplify things, but the "authenticator", which would be the controller or IAP in this case, just forwards radius traffic to the radius server. At most, you have to just configure WPA2-AES encrytion, the Network and the Radius Server. All the rest of the configuration occurs on the Client and the Radius Server for TLS.
info on how to setup EAP-TLS can be found in the thread here: http://community.arubanetworks.com/t5/Authentication-and-Access/EAP-TLS-configuration/m-p/37358/highlight/true#M729
Definitely NOT simple or straightforward.