For more security, i want to implement EAP-TLS.
The configuration server side but what do I need to do on the Catalyst 9300 switch as client ?
-There are several components that are required for this type of implementation to work. Not only do you need proper config on ISE side, but the switch and all clients need to be configured to support this. From the switch perspective you will need to determine whether or not you will use IBNS1.0 or 2.0 and enable radius support, etc. As for the clients your big thing here will be determining what supplicant you wish to use (AnyConnect NAM or Native supplicants). Both have their pros/cons. I strongly suggest testing/doing your research to see what fits your environment needs best. Lastly, once you have all components ready for deployment testing I would suggest to run things in 802.1x open mode to start then work towards tightening things once you feel comfortable. This document here sheds light on essentially everything I mentioned and what you would need to piece all of this together: ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community