Enabling 2FA with privacyIDEA for wireless networks

There are not many articles for enabling token-based authentication for wireless networks.
If you want to try out how it feels to use 2FA with it’s advantages and disadvantages just follow this guide.

It requires that you’ve followed




beside the radius stuff.

To get this thing to work you need to use TTLS with PAP instead of the default.

Also the freeradius package from Debian is way to old and doesn“t work with this setup, we have to compile our own one. As an alternative you could create your own debian-package described here:



  • wget ftp://ftp.freeradius.org/pub/freeradius/freeradius-server-3.0.12.tar.gz
  • tar xvfz freeradius-server-3.0.12.tar.gz
  • cd freeradius-server-3.0.12/
  • aptitude install make automake gcc libtalloc-dev libperl-dev
  • ./configure –prefix=/usr/local/freeradius –with-perl –disable-openssl-version-check
  • make && make install
  • cd /usr/local/freeradius/etc/raddb
  • Add your gateway to clients.conf
  • Set DEFAULT Auth-Type := perl in users
  • in mods-enabled link perl from mods-available
  • Add the module path /opt/privacyidea/lib/privacyidea/authmodules/FreeRADIUS/privacyidea_radius.pm
  • Also edit eap and set default_eap_type to ttls
  • sites-enabled/default: Add perl to the end of authorize section and on top of authenticate
  • sites-enabled/inner-tunnel: Add perl on top of authenticate section
  • Start radius in debugging mode and try to login via WLAN /usr/local/freeradiu/sbin/radiusd -X