From the RADIUS point of view, this is pretty easy, with only minor changes to the base configuration.

The hard bit is the certificates themselves. Not only do they have to work with RADIUS but they also have to cope with the idiosyncrasies of the operating systems they're installed on.

Instructions for generating client certificate PKI.

If you've got a RADIUS configuration that works for EAP-PEAP then the changes would be in the mods-available/eap file.

eap {
      ...
      
      tis-config {
                   ...
                   
                   private_key_file = <Private key for the server cert created above>
                   certificate_file = <Server certificate created above>
                   ca_file = <Root CA created for the client cert above>
                   ...
                   
                  }
     }                   

The private_key_file and the certificate_file define the server identity. The client carries the Root CA so that it can authenticate that the server is derived from the PKI. IF these are already set as part of the EAP-PEAP config then there's no need to change them. The Client→Server auth and Server→Client auth should be separate operations and work with completely different PKIs.

The ca_file is actually used to authenticate the clients in the same way as above. When the client sends the certificate the server uses the Root CA to prove that the client is derived from the PKI.