Looks like this is a feature of hostapd in combination with a radius server...
Found this in hostapd.conf:
# Optionally, WPA passphrase can be received from RADIUS authentication server
# This requires macaddr_acl to be set to 2 (RADIUS)
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not include
# Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
# Tunnel-Password
#wpa_psk_radius=0
I´m not sure if this scenario could configured with uci, but with a self created hostapd.conf it should be possible.
The key -> device binding will be implemented with the mac address