Prevent NetworkManager from trying to configure/use the network interface you want to use for the AP network:

/etc/NetworkManager/NetworkManager.conf

...
[keyfile]
unmanaged-devices=mac:<interface_mac_addr>
...

Create hostapd's configuration for an WPA-EAP-protected access point, using the internal RADIUS server:

/etc/hostapd/hostapd.conf

interface=<interface_name>
ssid=<ssid>
channel=1
 
# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=3
wpa=3
wpa_key_mgmt=WPA-EAP
 
# Require IEEE 802.1X authorization
ieee8021x=1
eapol_version=2
eap_message=ping-from-hostapd
eap_server=1
server_cert=/etc/hostapd/hostapd.cert.pem
private_key=/etc/hostapd/hostapd.key.pem
eap_user_file=/etc/hostapd/hostapd.eap_user

and configure the accepted credentials:

/etc/hostapd/hostapd.eap_user

# Phase 1 users
# Wildcard for all other identities
* PEAP
 
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"<user_name>"      MSCHAPV2        "<user_password>" [2]

If not already existing, create your hostapd's certificates:

$ cd /etc/hostapd
$ sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout hostapd.key.pem -out hostapd.cert.pem

Now, you can restart hostapd's service, and it should accept a WPA-EAP connection with the provided creadentials:

$ sudo service hostapd restart