Wifi Auth per Client/Machine (not User)

with Radius in UCS and our Unifi Wifi Infrastructure I can now successfully login to the wifi on my Xubuntu client using a UCS User Account/Credentials.
But what I’d like to have is something I deploy on the machine so that the machine authenticates before the user logs in.
So I’d like to hace every client having it’s own credentials so I can disable one of them centraly without touching all the others (like I had to do when I use PSK). I guess it’ll be a certificate that I’m going to need for each client?!
Since I’m a noob on this topic I don’t have any clue what to google for…
Clients will only be linux machines that are already part of the ucs domain.
Any hint which direction to look at?

Thanks a lot and kind Regards

am I right that it’s EAP-TLS what I’m looking for?
Any hint’s how to use this with UCS?