====== hostapd's howto's ======

===== Howto create a WPA-EAP-protected network =====

Prevent NetworkManager from trying to configure/use the network interface you want to use for the AP network:
<file ini /etc/NetworkManager/NetworkManager.conf>
...
[keyfile]
unmanaged-devices=mac:<interface_mac_addr>
...
</file>


Create hostapd's configuration for an WPA-EAP-protected access point, using the internal RADIUS server:
<file ini /etc/hostapd/hostapd.conf>
interface=<interface_name>
ssid=<ssid>
channel=1

# IEEE 802.11 specifies two authentication algorithms. hostapd can be
# configured to allow both of these or only one. Open system authentication
# should be used with IEEE 802.1X.
# Bit fields of allowed authentication algorithms:
# bit 0 = Open System Authentication
# bit 1 = Shared Key Authentication (requires WEP)
auth_algs=3
wpa=3
wpa_key_mgmt=WPA-EAP

# Require IEEE 802.1X authorization
ieee8021x=1
eapol_version=2
eap_message=ping-from-hostapd
eap_server=1
server_cert=/etc/hostapd/hostapd.cert.pem
private_key=/etc/hostapd/hostapd.key.pem
eap_user_file=/etc/hostapd/hostapd.eap_user
</file>

and configure the accepted credentials:
<file ini /etc/hostapd/hostapd.eap_user>
# Phase 1 users
# Wildcard for all other identities
* PEAP

# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"<user_name>"      MSCHAPV2        "<user_password>" [2]
</file>

If not already existing, create your hostapd's certificates:
<code>
$ cd /etc/hostapd
$ sudo openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout hostapd.key.pem -out hostapd.cert.pem
</code>

Now, you can restart hostapd's service, and it should accept a WPA-EAP connection with the provided creadentials:
<code>
$ sudo service hostapd restart
</code>