U2F is a pain in the a**.
From a user perspective it looks totally nice and I would ask every service provider on the internet, every portal, every web shop to implement it. (In this case each service takes care of registration and authentication - which is the originial design of U2F).
But U2F is totally made for HTTP! If you want to use it anywhere else it means bending technology and this is where we are at my first sentence
- Your UAG has to be able to communicate to privacyIDEA. (Which is very likely not implemented there)
- Passing the challenge response through RADIUS challenge response is most probably not possible, not supported by privacyIDEA RADIUS and very most probably not supported by UAG - which would be the RADIUS client.
You should not use U2F for an infrastructure under your control! Why would you use it in the first place? Save some money on hardware? Get a nitrokey or a yubikey. You can initialize the secret key and be much more secure than with the usual u2f device, which usually derives all key pairs from a master key you can not change.
(Sorry for this U2F rant