Tough to say why without known more.
You certainly want to test this again.
Take a cell, get its IP and start rule engine tracing on the proxy. That will tell you where it stops.
In addition, can you describe what error message your users are getting?
the error message from the tracing shows:-
and also mentions that the user is not part of profile 1 or 2 or 3 or any others.
even the username and password are correct
These links helped me with Auth and mobile phones:
Now in explicit proxy mode, which it sounds like you have setup, it should be easier for you to 'trust' the proxy from the phone. One thing that kept biting me even then was with certificate trusts. If the device does not trust the CA, if you are using an internal CA for cert signing an such, then the iPhone may not let the authentication server do its voodoo to auth the device to the network. Make sure you trust those certs and that may help.
Another way I found very helpful info is by doing this:
Go to -> Policy - Rule Sets Tab. Then choose to "Add Rule Set from Library". Now click on the link " Online Rule Set Library" in the top right of that window. Now do a search for 'auth' and you should find not only rule sets but documentation download options. That was gold that helped me as well. You can also import those pre-canned rulesets too to get you started. Good luck!