it's worth noting that hostapd has a built-in EAP server as well for running Radius. check the config sample for "EAP server" https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

As for securing them, there's several labs security researchers provide for breaking into "enterprise wifi"

https://github.com/sensepost/shinai-fi https://github.com/r4ulcl/WiFiChallengeLab-docker