IOS 4.2.1 breaks web-based authentication to wifi access points

Similar Messages

• IOS 6.0.1 - Problems with certificate based authentication on wireless access point

  Hi all
  We are using iPad 2 as order terminals in our shops for about 5 months. Some of the iPads (the first who entered the field) started to cause problems now. These iPads are no longer able to keep long-term connection to the wireless access point in our stores. After selecting the SSID a successful authentication using the stored EAP-TLS certificate is performed (this can be seen in the log files of our wireless controller and by the IP adress that is given by DHCP). But within seconds the affected iPads opening up a captive portal page (empty, without contents) and separates the connection to the SSID after a short time again.
  Affected are currently only iPads 2 with iOS 6.0.1, which were staged about 5 months ago. The newer devices with iOS 6.1+ connect without problems and open no captive portal page. The first cases occurred on the last Wednesday. Before that everything worked without difficulty. No modifications took place on the security structure.  The numbers of affected devices increased until all iOS 6.0.1 were affected.
  Access to other SSIDs (without use of certificates, by entering a key) for the devices is still possible (the devices does not open an captive portal page). The DHCP scope is not used up, so there are enough IP addresses available.
  "Newer iPads" with an iOS of 6.1+ are are showing no problems on the same wireless access point, where the older devices are rejected. New and old devices use the same certificates and authentication mechanisms.
  In the analysis of the issue, it turned out that  the problem can be solved by an update to iOS 6.1.3. Subsequently, the iPads will be able to rebuild a connection with the access point, without a captive portal page.
  Since the bandwidth is very narrow dimensioned in our stores, the communication of the iPads was severely restricted. Thus, the iPads are for exampleare accessible for the APNS but can not find iOS updates or check for their availability.
  A comprehensive update to iOS 6.1.3 is currently excluded.
  Does anyone knows this issue? What else can be done (except from updating)?

  I will answer my own question in case it helps anyone else.
  It would "seem" the ios 6 devices try the proxy and if that is not working they resort to the def gateway.
  To Fix I did the following:
  Brocade WIFI network has IPS and Advanced Firewall rules that seemed to be tthwarting some traffic, the iphones would then try the default gateway and be blocked at the FW. 
  I disabled the IPS and the Advanced Firewall Settings on the wifi as they are redundant to our main IPS and firewall that all traffic flows through anyway.  I will tune it later, but when the CEO is demanding a fix "**** the security, full speed ahead"
  Created some rues on the firewall to allow...
  - IMAP-SSL (port993) outbound
  - SMTPS (port 465) to yahoo servers outbound
  - tcp port 587 to yahoo servers outbound
  - https to akamai servers
  Most http and https goes through the proxy as it should, BUT...
  It seems that the akamai traffic allways ignores the wifi proxy settings and just heads straight for the default gateway.  I suspect there is a bug in the icloud app? 
  Hope this helps someone else.
  -Bo

• Web based authentication for wired client, Crendentials submission failure.

  Hi,
  I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
  The problem i encountered is that my switch doesnt forward the client's password to the ACS.
  When the user validate his credentials on the login page only the login seems to be forwarded.
  The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
  the connection between aaa servers and the switch is working.
  You will find in attachements the running-config and the debug file.
  Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

  Well i took a look on your documents but i didnt find anything that helped me ;S.
  I'm still stucked on the same step.

• IBNS web-based authentication HTTPS intercept

  Hi everybody,
  Hopefully this is an easy question.
  I have configured an IBNS setup with Wired Web-Authentication. To sum this up: connect a computer to the switch, go to a web page, the switch intercepts the http request, sends you a log-in page, you log in and get directed to the original web page.
  For this, I have used the following guide http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577494.html
  Before I implemented this, I had the HTTP and HTTPS server on the switch disabled. But if I disable the HTTP serer (and leave the HTTPS server enabled), the switch doesn't intercept the web pages anymore. Is there a way to use web-based authentication without using the HTTP server and using only the HTTPS server on the switch?
  Hope someone can help me with this.
  Thanks
  Ian

  Well I haven't had any luck getting an iPhone to present an SSL certificate to an IIS7 ASP.Net webserver.
  The same .p12 certificate works on IE7, PocketIE (WM6), Firefox and Safari (PC version). The website is set to Require an SSL certificate. From the Windows Mobile or PC browsers, you get a prompt for the client certificate. I have tried Nick's website and the iPhone will prompt to choose between his and my certificates, however with IIS7 you just get a 403.7 client SSL certificate required error.
  I have turned on SSL tracing in HTTP.Sys and get the following (edited for length) :
  <Opcode>SslInititateSslRcvClientCert</Opcode>
  - <Keywords>
  <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
  </Keywords>
  <Task>HTTP SSL Trace Task</Task>
  <Message>Server application is attempting to receive the SSL client certificate, which will be provided if available. If the client certificate is not available, a renegotiation will be initiated.</Message>
  <Channel>HTTP Service Channel</Channel>
  <Provider>Microsoft-Windows-HttpService</Provider>
  ... then after various SSL negotiations and receive raw data traces I see...
  <Opcode>SslRcvClientCertFailed</Opcode>
  - <Keywords>
  <Keyword>Flagged on all HTTP events handling ssl interactions</Keyword>
  </Keywords>
  <Task>HTTP SSL Trace Task</Task>
  <Message>Attempt by server application to receive client certificate failed with status: 0xC0000225.</Message>
  <Channel>HTTP Service Channel</Channel>
  <Provider>Microsoft-Windows-HttpService</Provider>
  Which basically seems to mean a "not found" error.
  Anyone had any luck with iPhone to IIS 7 (which we have to use as it is an ASP.Net website)?

• Form based authentication HTTP 403 access forbidden in WL 8.1

  Hi there..
  I found following message posted in April-2004 by Sandeep very useful.
  I also ended up getting the following HTTP 403 Forbidden access error while using Pageflow controller and Form based authentication.
  I noticed 2 things. If you have a normal webapp A, which is a plain old webapp (which does not use pageflow..workshop etc..) then the following error does not occur.
  It only happens with those webapps which utilizes WL 8.1's pageflow features. Note that I am not using nested page flows. I just used 1 pageflow controller and wanted to have the form based login feature for the same.
  BEA's samples on form authentication talks about nested page flows and javax.security.auth.login.FailedLoginException and etc.. are they only applicable to nested pageflows?
  can't I use the same to capture failed login exception within a single controller?
  I tried out putting FailedLoginException exception-handler in Global.app file but it didn't catch it. Only the following work around worked. is this a bug in WL 8.1 workshop? or I am missing something.
  I would appreciate if someone can clear this doubt.
  I am using WL 8.1 with sp3.
  Rajesh
  Hey guys,
  I could find the solution for my problem. Here it is
  We need to add following lines of code in the erro.jsp page.
  <form action"j_security_check>
  ....write the error mesage....
  </form>
  You will get rid of "403 Forbidden page" error.
  Thanks,
  Sandip
  [email protected] (Sandip Atkole) wrote in message news:<[email protected]>...
  I am trying to set up Form-Based Authentication on WebLogic 8.1
  The Problem:
  If the user provides correct userid/password, he gets access to the
  protected resource as required, but if he provides incorrect
  userid/password, he gets a 403 Forbidden page, instead of getting the
  login failure page.
  The Descriptors:
  WEB.XML
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/Login.jsp</form-login-page>
  <form-error-page>/LoginError.jsp</form-error-page>
  </form-login-config>
  </login-config>
  Why doesn't it redirect to "/LoginError.jsp" instead of showing the
  403 Forbidden page?
  Thanks in advance
  Sandip

  It seems like a bug. However when I explicitly reset the error using set status it worked for me. I added following code in my error jsp .
  <%     
       response.setHeader("conent-type","text/html");
       response.setStatus(200);
  %>

• AP Extreme (WiFi Access Point)... LAN... Web Proxy Server help.

  Hello...
  I need a little help configuring this Airport Extreme as a Wireless Access point, serving a bunch of iPads via the schools LAN connection for which traffic is routed through a Web Proxy Server. I've been told to set it up as a bridge as the PC LAN and Proxy are providing NAT but can't seem to crack it.
  The WiFi side of things is up and running, we can all see and connect to the AP.
  I'm told that it was working fine before the school break in the summer, then something was changed and the position of the AP altered.
  The Web Proxy Server is normally accesses from the PC's via the following address... IP > 10.12.14.122  //  PORT > 3128
  I'm not certain where the Proxy settings need to go in the new 'simple' Airport Utility, can't see a place for Port at all?!?
  (I've taken the AP home, tried it on my home network and it works fine, so we know its all OK and its down to config).
  Here are some screen images of the settings as they are, that do not work.
  (I was trying a few different settings hence the screens like Static/DHCP etc.)
  Any help is greatly appreciated.

  Hi Daniel,
  >>Now when I go on a client site my internet access on the host laptop is via a web proxy on a LAN connection.
  "LAN connection" means physical NIC (Realtek PCIe GBE Family Controller) ?
  " web proxy " means adding a proxy server IP in IE ?
  Bounding the NIC (Realtek PCIe ) to external virtual switch then connect all VMs to that external virtual switch ,still can not access ?
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Catalyst Web-Based Authentication

  Hi there,
  I am having problems getting this web-auth working and am hoping you guys can assist with a solution. It works for ssh/telnet, but not for proxy web auth.
  This is the equipment:
  Cisco 3750G with IOS 12.2(53)SE1
  CiscoSecure ACS Appliance Release 4.1(1) Build 23 Patch 4
  Windows 2003 R2 domain controller
  Here the relevant config:
  <snip>
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication login no_auth line
  aaa authentication login use_tacacs group tacacs+ local
  aaa authentication login console local
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ local
  aaa authorization commands 15 default group tacacs+ local
  aaa authorization network default group radius none
  aaa authorization auth-proxy default group tacacs+
  aaa accounting exec default start-stop broadcast group tacacs+
  aaa accounting commands 15 default start-stop broadcast group tacacs+
  interface Vlan150
  ip address 10.10.10.14 255.255.255.0
  ip tacacs source-interface Vlan150
  ip radius source-interface Vlan150
  tacacs-server host 10.10.10.4 single-connection
  tacacs-server directed-request
  tacacs-server key 7 15270505307A21
  radius-server attribute 8 include-in-access-req
  radius-server dead-criteria tries 2
  radius-server host 10.10.10.4 auth-port 1645 acct-port 1646
  radius-server vsa send authentication
  </snip>
  ..and in the log, I get this when trying to authenticate from the web auth page:
  006514: Nov  1 12:08:24.307 CET: AAA/AUTHEN/LOGIN (0000059D): Pick method list 'default'
  006515: Nov  1 12:08:24.307 CET: TPLUS: Queuing AAA Authentication request 1437 for processing
  006516: Nov  1 12:08:24.307 CET: TPLUS: processing authentication start request id 1437
  006517: Nov  1 12:08:24.307 CET: TPLUS: Authentication start packet created for 1437(roje)
  006518: Nov  1 12:08:24.307 CET: TPLUS: Using server 10.10.10.4
  006519: Nov  1 12:08:24.307 CET: TPLUS(0000059D)/0/NB_WAIT/475C16C: Started 5 sec timeout
  006520: Nov  1 12:08:24.307 CET: TPLUS(0000059D)/0/NB_WAIT: wrote entire 43 bytes request
  006521: Nov  1 12:08:24.315 CET: TPLUS(0000059D)/0/READ: read entire 12 header bytes (expect 16 bytes)
  006522: Nov  1 12:08:24.315 CET: TPLUS(0000059D)/0/READ: read entire 28 bytes response
  006523: Nov  1 12:08:24.315 CET: TPLUS(0000059D)/0/475C16C: Processing the reply packet
  006524: Nov  1 12:08:24.315 CET: TPLUS: Received authen response status GET_PASSWORD (8)
  And please do let me know if you need additional information or test to spot the error..
  Thank you.

  Password is not sent from the switch to the ACS server - any ideas why and how to fix? :-/
  Using IOS 12.2(53)SE1
  Here's a little more log detail:
  013616: Nov  4 10:20:38.478 CET: T+: End Packet
  013617: Nov  4 10:21:11.789 CET: AAA/AUTHEN/LOGIN (0000095F): Pick method list 'default'
  013618: Nov  4 10:21:11.789 CET: TPLUS: Queuing AAA Authentication request 2399 for processing
  013619: Nov  4 10:21:11.789 CET: TPLUS: processing authentication start request id 2399
  013620: Nov  4 10:21:11.789 CET: TPLUS: Authentication start packet created for 2399(roje)
  013621: Nov  4 10:21:11.789 CET: TPLUS: Using server 10.10.10.4
  013622: Nov  4 10:21:11.789 CET: TPLUS(0000095F)/0/NB_WAIT/5B4E178: Started 5 sec timeout
  013623: Nov  4 10:21:11.789 CET: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  013624: Nov  4 10:21:11.789 CET: T+: session_id 3455235127 (0xCDF2B437), dlen 36 (0x24)
  013625: Nov  4 10:21:11.789 CET: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  013626: Nov  4 10:21:11.789 CET: T+: svc:LOGIN user_len:8 port_len:20 (0x14) raddr_len:0 (0x0) data_len:0
  013627: Nov  4 10:21:11.789 CET: T+: user:  roje
  013628: Nov  4 10:21:11.789 CET: T+: port:  GigabitEthernet1/0/1
  013629: Nov  4 10:21:11.789 CET: T+: rem_addr: 
  013630: Nov  4 10:21:11.789 CET: T+: data: 
  013631: Nov  4 10:21:11.789 CET: T+: End Packet
  013632: Nov  4 10:21:11.789 CET: TPLUS(0000095F)/0/NB_WAIT: wrote entire 48 bytes request
  013633: Nov  4 10:21:11.798 CET: TPLUS(0000095F)/0/READ: read entire 12 header bytes (expect 16 bytes)
  013634: Nov  4 10:21:11.798 CET: TPLUS(0000095F)/0/READ: read entire 28 bytes response
  013635: Nov  4 10:21:11.798 CET: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  013636: Nov  4 10:21:11.798 CET: T+: session_id 3455235127 (0xCDF2B437), dlen 16 (0x10)
  013637: Nov  4 10:21:11.798 CET: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  013638: Nov  4 10:21:11.798 CET: T+: msg:  Password:
  013639: Nov  4 10:21:11.798 CET: T+: data: 
  013640: Nov  4 10:21:11.798 CET: T+: End Packet
  013641: Nov  4 10:21:11.798 CET: TPLUS(0000095F)/0/5B4E178: Processing the reply packet
  013642: Nov  4 10:21:11.798 CET: TPLUS: Received authen response status GET_PASSWORD (8)
  013643: Nov  4 10:21:21.436 CET: AAA/BIND(00000960): Bind i/f 
  013644: Nov  4 10:21:21.436 CET: AAA/AUTHEN/LOGIN (00000960): Pick method list 'default'
  013645: Nov  4 10:21:21.436 CET: TPLUS: Queuing AAA Authentication request 2400 for processing
  013646: Nov  4 10:21:21.436 CET: TPLUS: processing authentication start request id 2400

• Web based email program prevents access from email aggregator

  Hi all - I'm a fairly new BB user and have a problem that I need some help.  I have been using my BB Bold to access my U.S. Army webmail.  Recently I received an email from the system saying that access to email by aggregators such as Google mail and Blackberry will not longer be allowed because those systems store usernames and passwords on servers outside the control of the Army.  Apparently this is a cyber-security concern.
  The webmail will still allow IMAP and POP access so long as the username and password are not stored on external servers (such Microsoft Outlook).  I can not figure out a way to configure my BB to do this without storing my username and password on the BIS system.  Short of installing a third party application is there any way to access my Army email from my BB without storing my username and password on the BIS system?
  Thanks for your help!

  Hi and Welcome to the Forums!
  Nope...BIS is a conduit that pulls from your POP/IMAP account and then pushes new stuff to your BB. If there is nothing to push, it does nothing to interrupt your BB. To do all of that, it must know your credentials for your POP/IMAP service...hence the fact that your ID and password must be stored inside of your BIS configuration. That's how it works.
  The only other thing I can think of for you would be the webmail interface -- if they have one, you could use the BB Browser to access that email account rather than go through BIS.
  Good luck!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Path-through authentication on WAP321 access point

  Dear colleagues!
  There is a task to perform webauth without entering username/password on WAP321 AP (path-through authentication).
  We need to eliminate captive portal page which requests username type-in. After connecting to the network user has to be redirected to company's website without any captive portal.
  How to achieve this?
  Thank you!
  Yuriy

  Hi Diane,
  This is a very good question that comes up every once in a while. As you can see from the answers in the links below,there are alot of factors that come into play. The consensus from everything I have read and experienced would be 20-25 users per AP depending on actual applications etc.
  Have a read for some great answers provided in this forum by some excellent "hands on" experts:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.ee9a96d/2#selected_message
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=General&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd6c0a5/0#selected_message
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Getting%20Started%20with%20Wireless&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd5f1ca/0#selected_message
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=WLAN%20Radio%20Standards&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.eeab5db/1#selected_message
  Here is a Cisco doc that relates to this question;
  Q. How many clients can associate to the AP?
  A. The AP has the physical capacity to handle 2048 MAC addresses. However, because the AP is a shared medium and acts as a wireless hub, the performance of each user decreases as the number of users increases on an individual AP. Ideally, not more than 24 clients should associate with the AP because the throughput of the AP is reduced with each client that associates to the AP.
  From this Q&A doc;
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
  Hope this helps!
  Rob

• SP4 and Form Based Authentication

  Hi,
  I had just advised a customer to apply SP4 to WLS and
  then plug in the 'source code' patch, he replied that he had
  been informed that SP4 breaks Form Based Authentication for
  war web apps?
  Can anyone confirm/deny this for me please ?
  regards,
       Patrick.

  Hehe Hiya Patrick!, that was Me! seems we use the same hot source of info :)
  Cheers
  Rob :)
  "Patrick Byrne" <[email protected]> wrote in message
  news:[email protected]..
  Hi,
  I had just advised a customer to apply SP4 to WLS and
  then plug in the 'source code' patch, he replied that he had
  been informed that SP4 breaks Form Based Authentication for
  war web apps?
  Can anyone confirm/deny this for me please ?
  regards,
  Patrick.

• Identity SSO API with non-web based appilcations

  hi,
  i can appreciate hwo this works with cookies etc for web based applications that use the api or one of the agents on apache etc.
  but how does it go with non web based java and say windows applications?
  can anyone point me to some docs?
  thanks

  I don't work for Sun but here are my thoughts
  1. Yes, if you don't want to use the AM SDK then the
  XML auth service is the way to go.
  2 & 3. dunno
  4. I think if you pass around the SSOToken ID
  generated by AM then any application can issue a SAML
  query to see if the session is still valid and get
  identity/auth attributes back
  5. I think SAML 2.0 supports authentication and
  single signoff
  6. If you are doing a lot of thick client apps you
  should use kerberos instead of AM web based
  Authentication. AM supports kerberos authentication,
  most modern browsers support SPEGNO for passing
  credentials to web server, AD supports Kerberos, and
  even Solaris 10 comes with a free KDC built into the
  OS. There is plenty of documentation around kerberos
  and the JDK out of the box supports GSS-API for
  Kerberos authenticationThank you for your feedback.
  We looked at the use of kerberos as well, but this is not really an option as we are dealing with fat clients installed on desktops of clients. So these desktops do not fall within our span control (multiple domain controllers etc.).
  Regards,
  Thomas

• İp address for web based setup?

  Hi everyone,
  I have a trouble with my wireless router, ı cant access to its web based setup, cause ı'm accessing internet with another modem. So when ı tried to reach setup with 192.168.1.1 ip address, the other modems setup shows up. İs there any solutıon for this problem or how can ı get in to the router's setup? is there any alternative ip addresses for linksys modems? Pls ı'm waiting for any reply.
  best regards

  is your computer plugged into the modem or router? if router then you need to turn off the modem, the modem has the same ip as router, you will need to change router ip, use this link to help
  http://www3.nohold.net/noHoldCust56/Prod_6/KnowledgePortal/KPScripts/amsviewer.asp?docid=cafc0b717ab...
  Felipe Diaz
  using WRT600n

• WLC based mobility-anchor guest access solution

  Hi everybody,
  My new setup with WLC baesed guest access solution is working well. I am using web based login authentication for wired & wireless solution. And everything is running through out the WLC. The WLC is granting access to is the internet for the guests. My question is how about printers and other devices that cannot make web based authentication. How can i get them to work in the same setup?
  best regards,
  Sahin

  For wired, you simply need to configure mac aut bypass on the printer switchports and point that to the ACS.
  If it's accepted, the port will go in the printer vlan, if not, you can chose the behavior (block access, put in another vlan, etc ...).
  For wireless, you need to enable "mac filtering" on the SSID, so it's best to create a separate SSID for the printers then because you want to authenticate those by mac address and you don't want that for the other clients probably.
  You can then also point the mac filtering towards ACS on the wlc.
  From there you can either have the macs stored locally on ACS or in your ACtive Directory or wherever you want.

• IOS 6, Netgear access point and Internet

  Hi,
  I’ve reached a point where I’m not entirely sure what to do next.
  Here are some quick details (all are on most recent firmware unless stated):
  Router: Draytek Vigor2830n
  Access Point: Netgear WG102
  Devices: iPhone 4, iPhone 5, iPad 2 and two iPad 2’s for comparison on iOS 5.
  So, all devices running iOS 6.1.3/4 will connect to the Netgear access point just fine, can browse the LAN / stream media from network shares but internet access seems to be 'delayed' and can take anywhere between a minute to 20 minutes to connect (I give up after this). In comparison both the iPad 2’s running iOS 5 will gain internet access immediately after connecting to the access point.
  On the other hand, when connecting to the routers wireless on all devices it works flawlessly and internet connection is 'instant'.
  Given the problems that Netgear wifi has had with iOS 6, which were supposedly ‘fixed’ in iOS 6.1, I’m not sure what to do. It’s definitely a software problem, and could well be something to do with the router (along with connecting to the access point and iOS 6), but I’m not sure what to start changing first. iOS 5 works fine, so what has changed in iOS 6 to break it?
  Its not a security issue like before 6.1 and not being able to connect to the access point at all.
  Basically:
  - I either need to figure what in iOS 6 is causing this ‘delay’ and how to fix it
  -Give up on the access point and buy a new one (seems a bit extreme given that every other devices works fine – iOS 5, blackberry, laptops etc).
  -Wait for iOS 7, hopefully in the next couple of weeks and see if it fixes it, though I can find little information on this issue as it is, and nothing to suggest iOS 7 might help. Though if iOS 5 is fine, iOS 6 broke it and 6.1 slightly fixed it, maybe iOS 7 will cure it? Doubt it…but worth waiting a few days.
  Anyone got any suggestions? I have been through all the usual (HTTP proxy, forget this network, reset network settings), nothing makes it work flawlessly like iOS 5 and the issue is the same on a wide spread of devices running iOS 6.

  Dont know my routerand access point works fine. Try http://support.apple.com/kb/HT4199 and make sure your setting are correct.

• 1041 Access Point -- Web Management Login Timeout

  I've looked thru the various screens but I have not found anywhere to change the Timeout value on the login to Web Management of my 1041 Access Point.  Is that definable? 
  It seems like if you pause for any amount of time, you have to login again before you can do anything.  The time window is just annoyingly small and I want to bump it up to something else.
  Thanks
  Mark

  You need to do it thru command line... I havent test it.. but AP accepts the command...
  Use THIS COMMAND...
  ip http timeout-policy idle seconds life seconds requests value
  Example:
  Router(config)# ip http timeout-policy idle 30  life 120 requests 100
  (Optional) Sets the characteristics that determine how long a connection  to the HTTP server should remain open. The characteristics are:
  •idle—The  maximum number of seconds the connection will be kept open if no data  is received or response data cannot be sent out on the connection. Note  that a new value may not take effect on any already existing  connections. If the server is too busy or the limit on the life time or the number of requests is reached, the connection may be closed sooner. The default value is 180 seconds (3 minutes).
  •life—The  maximum number of seconds the connection will be kept open, from the  time the connection is established. Note that the new value may not take  effect on any already existing connections. If the server is too busy  or the limit on the idle time or the number of requests is reached, it  may close the connection sooner. Also, since the server will not close  the connection while actively processing a request, the connection may  remain open longer than the specified life time  if processing is occurring when the life maximum is reached. In this  case, the connection will be closed when processing finishes. The  default value is 180 seconds (3 minutes). The maximum value is 86400  seconds (24 hours).
  •requests—The  maximum limit on the number of requests processed on a persistent  connection before it is closed. Note that the new value may not take  effect on already existing connections. If the server is too busy or the  limit on the idle time or the life time is reached, the connection may  be closed before the maximum number of requests are processed. The  default value is 1. The maximum value is 86400.