I believe your issue is that the Require user dev must come before the Require ip statements. If you use LogLevel debug you should see that once the IP is denied it will stop checking further rules (hence not requesting the authentication. On the other hand, the user clause would give denied (no authenticated user) in your logs, check further rules, and upon no grant/deny would ask for authentication; after which it would grant the user clause and stop checking further rules.