I work in an environment that uses 802.1x WiFi network that uses client certificates. I am looking for a creative solution that makes this WiFi network accessible to devices that can understand WPA2 Personal style only. This is how it works now.

1. Users first connect to "Lenovo Guest" network. This is WPA2 Personal style network.
2. When you try to access google.com, the web browser gets redirected to a page that prompts user to download and run an application. I believe it is Cisco or Aruba clearpass installer or something of that sort. After running this application, the local certificate store on my PC is getting updated with certs injected by this utility.
3. Then I see "Lenovo BYOD" wifi network when I scan for WiFi. I make my PC forget "Lenova Guest" and then connect to "Lenova BYOD" network without any authentication. It connects fine and I have access to internet. The above picture denotes current setup.
   
   What I am trying to do is use a router that understands 802.1x; provision it with same certificate so that it connects to "Lenova BYOD" as a client and bridge its WiFi clients through NAT'ed. Picture below describes what I am looking for. I want to setup "My Lab WiFi" that bridges 802.1x wifi to WPA2 Personal style wifi.
   
   

If there is a device that I can buy for $50 r less and configure it, that would be perfect. I looked at OpenWRT forums. Looks like it is possible if I burn OpenWRT firmware on a supported router. Before I go that route, I thought I ask if this one was tried and any solutions exist.

If you have suggestions to try OpenWRT configs, please share as well.