The AP would have to be configured with the EAP-TLS server IP address (they communicate via RADIUS). Supplicant (client) attempts connection via the AP, AP blocks, sends client EAP-IdentityRequest message, blocks until the EAP-TLS process (certificate exchange) completes between Auth Server and Supplicant, Auth Server sends EAP-Accept message to AP, AP closes circuit (802.1x virtual port) to allow verified-client to connect to network... away you go
Hope that helps.
Eric