Nowadays, wireless hotspots have been widely deployed around the world, which may lead to significant location and trajectory privacy risks. While most previous work focuses on protecting MAC addresses which can be used as a unique identifier against eavesdroppers, the authentication identity of existing WiFi authentication mechanisms can also be used by administrators to track users. In our work, we propose a new authentication mechanism for WiFi which supports anonymous authentication against honest-but-curious administrators. Leveraging the properties of Direct Anonymous Attestation (DAA), our scheme can achieve anonymity and unlinkability with a DAA signature as an authentication identity while authenticated by the authentication server in the WiFi network. We further build an implementation of our scheme by using an X.509 extension embedded in the client certificate and importing a customized certificate validation check on FreeRadius server. We validate the security property and demonstrate the deployability of our solution. We show that our scheme introduced marginal overhead compared with EAP-TLS and performs similarly to the widely-deployed PEAP.