RE650 - 802.1x Wireless Client - Enterprise Security

I recently purchased a TP-Link RE650 for my girlfriend who is away at college due to the fact that she has horrible cell service and spotty WiFi coverage in her dorm making it near impossible to have a decent video call over the phone or computer.

I was able to successfully flash to OpenWRT using the latest available snapshot (will upgrade to full release when available and supported on my device). Got Luci installed, along with the full WPAD package, and RelayD (just in case it was required for our setup).

Here at home I was successfully able to scan for and join to my wireless network as WWAN on the OpenWRT device, then broadcast a new SSID out as WLAN1. After setting the RE650's IP address to a separate subnet from my home network ( I could connect to the new SSID, get assigned an address from OpenWRT's DHCP, and browse the internet with no issues.

As expected the setup at her college is throwing some curveballs, most likely due to the fact that they use 802.1x enterprise security on the wifi.

Attempting to mimic the test setup from home, I was able to scan for available networks, but was unable to join the student network since Luci has no form field to enter a username when connecting, it only presents me with a password box. Scanning appears to detect the correct type of encryption but unfortunately there is nowhere to enter the username/password combo when connecting.

At this point I went to try their guest network which does not use enterprise security, I was able to connect and received a 10.10.43.x IP via DHCP but was not able to browse the internet. I believe this is because they use a captive portal that requires each device to either accept or decline a policy before letting them through. I could see in my browser it was attempting to bring me to the captive portal page however my browsers would never successfully connect.

Prior to flashing OpenWRT, the factory TP-Link firmware was unable to scan for 802.1x networks, connecting to the guest network did work, and we were able to browse the internet through the RE650, however there are dozens of access points around campus so the RE650 can see around 10 duplicate SSID's and whenever it associated to a different AP our connection would drop out and require a power cycle of our device before internet access would be restored.

I'm at a bit of a loss as to where to go from here, I feel like if I could successfully join the 802.1x student WiFi then we would be good to go.

The ultimate goal here is to join the campus student wifi using the RE650's 5ghz radio, broadcast our own SSID by setting up an AP on the RE650's 2.4ghz radio, and allow the single ethernet port to plug into a wired device in the dorm. There is really no need (unless required to make everything work) to use RelayD to pass DHCP from the campus network down to devices on the other side of the RE650.

Is there some step in the connection/setup process I have overlooked? How can I enter the username/password combo when attempting to connect to the enterprise grade secure wifi on campus?

Manually configure the encryption. Actually, manually configure the whole connection. (I don't like the join network button.)

Encryption of a campus network is almost always WPA2-EAP TTLS with MSCHAPv2 inner encryption, since that is one of the few standards that Windows will support.

The BSSID setting will prevent connection to any other than the designated AP (BSSID is the MAC of the allowed AP, the join network button automatically fills it). You usually would want to allow roaming, so leave BSSID blank.