Q: iOS 5/iPad 2 proxy settings not being remembered

Seems like the problem is at leased partially solved by upgrading to just released IOS 5.1

Still from time to time ask for credentials, but mostly OK.

In education again here also - thinking of buying ipads for all older pupils at our school but athentication issues with iOS, as mentioned it keeps asking for the proxy username and password over and over - useless for primary school pupils.

iOS 5.1 is no better, tried an iphone and ipad today on the proxy server - kept prompting for password over and over - worse than usual.

Workarounds impossible because of security.

Currently contemplating laptops rather han ipads because of the problem.

Surely there must be an easy answer either in iOS itself or a change of setting for the network admins?

Still no good. There are no settings in iOS or that a network admin can set to make this work. Put simply (as I have said before), apps on the iDevices need to access both normal (HTTP) and secure (HTTPS) sites for various activities. The Apple devices ONLY support providing keychain entries for "HTTP". So every time an application wants a HTTPS site (which they do in the background), you will receive a username and password prompt.

The only real work-around is a labour-intensive one for the IT Department. They need to log every single iDevice's MAC address (Physical Network Interface ID) into a DHCP Reservation. They can then set that particular range of IP Addresses to run through the proxy unauthenticated, and apply any additional filtering that they need. This is the ONLY way that currently works (outside of creating a new proxy server specific for them, or running proxy software like "Authoxy"). It's also a security issue and not "great".

This isn't a case of corporate networks "doing something wrong that's stopping iDevices from working"... it's "Apple didn't provide the settings needed to make the device work on a corporate/education environment". For the same reason Android devices don't work here (don't support the certificate enrollment for 802.1X authenticated wireless networks), iDevices prompt for credentials.

We use Netbox and had a fair amount of success when white listing *.apple.com we generally found that a large proportion of the proxy logn pop ups disappeared on both iOS 5.0.1 & 5.1

Netbox Blue is a good choice and supports this. When configured correctly, the wireless authentication credentials that you enter on a Mac/iDevice/etc will do some voodoo with regards to the back-end network services and will essentially authenticate devices as a user, based on it's MAC address (similar to the manual process I described above). This will enable you to run without this issue.

We are considering switching from a Websense/MS-TMG setup to NetBox just because of annoyances like this. It's bad when you need to consider a completely new network security product (and tens of thousands of dollars expense) to work around an issue that Apple are responsible for.

Hmmm that's a good point. Apple do need to work on that.

Our district switched our old proxy server to J-Boss specifically because it works with iDevices. The problems are now gone.

Has anyone tried Apple's Configurator to setup their iPads to see if it solves this issue?

http://itunes.apple.com/us/app/apple-configurator/id434433123?mt=12

I also have this issue also and is a real pain for our users. Is anyone close to resolving it? or has anyone contacted Apple regarding it?

Originally it would keep prompting for a username and password even if what you entered the first time is correct. We got round this problem by changing the port from the normal 8080 traffic to 8083 (first spare port). This stopped the issue of it keep prompting even if the details are correct. Not sure of the details of this.

Now it just prompts us once when the device is turned on (Even though we have entered details under the proxy settings). It remembers this for the session, so until the session timesout (which is currently set to 2 hours).

Would be nice if the iPad actually used the settings you entered under the proxy.

This is (no longer) true, if you look at the TMG logg both HTTP and HTTPS request are correct authenicated when things work, the problem is still that way too often you have to enter the credentials, and worse if you type it wrong a few times easily lock you AD account.

We are looking for other solutions since TMG does not support IPv6 anyway and that to me shows that it is a dying product. Since we have a personal certificate in the devices (for EAP-TLS) we hope to get Squid or Cisco ASA Identity Firewall to recognize and allow traffic based on that.

.

Trying to setup a Manual Proxy for Wi-Fi  that requires Authentication:

I tested using the iPhone Configuration Utility (iPCU) version 3.5 with iOS 5.0.1 and iOS 5.1 devices.  I am able to get the proxy server name and port to stick with a Manual Proxy on a Wi-Fi network.    The most IMPORTANT item that is still NOT WORKING is that the Proxy Authentication setting is still OFF and the Username and Password are NOT set. 

Has anyone else gotten this far?  This seems like it is HALF FIXED in iPCU v.3.5.

Has anyone got good news about issue?

Does anyone have an update on this?   Thanks!

We wanted officiall answer and they told us, we should use other authentication type for wi-fi or we should pay money to Apple for fixing this issue...

So they do not accept that this is their problem.

For your information.

Thanks for the response!

Been dealing with this headache for a very long time.  In our organization we have users that are able to get to certain sites based off their role and AD permissions (i.e. Twitter, YouTube, etc).  This causes the users to enter their credentials every day (it was set to 2 hours but we increased our proxy re-authentication time out to 12 hours to limit the annoyances) but this can cause more issues (such as if the user types in the wrong password, they get default restrictive access and we need to clear their session)

Ultimately what we did right now to allow email and internal sites to work is bypass our internal domain to not require authentication from our proxy(Bluecoat ProxySG).  This allows users to use their mail, calendar, internal sites and not be prompted for credentials.  Once they hit CNN or Yahoo then they will be prompted.  It's not an ideal solution but has reduced some of the headaches. 

We've tried the Apple Configuration tool but even when specifying a authentication and the username and password, the settings never stick.  We also tried to deploy this from our enterprise MDM and will not work either.  We opened a ticket with them to go to Apple with who simply said "yeah we know".  Doesn't seem like they are in a rush to fix these annoyances for IT departments to make our lives easier.