Uh, what a lame thing. It will only work on the assumption that the
user does not check the server certificate, which really bad
practice.
The rest is a setup of FreeRADIUS which is designed to be compatible
with as many EAP types as possible; so as not to disturb the end
user experience.
It also can't figure out if the user entered his real credentials or
had a typo/intentionally put in something different.
The "patch" is a few sample clients, nothing more.
A nice exercise, for sure, but calling this "Pwnage Edition" is
somewhat exaggerated. As I read the headline, I expected more bang
for the buck :-)