You want to identify or create a report based on the actual method (Basic, NT Lan Manager - NTLM or Kerberos) negotiated by clients for authentication.
A real time packet capture taken from proxy will indicate the authentication method ultimately selected by clients. But it is a tedious process to search this information in a capture for every user and a pcap buffer is typically too small to leave it running so it is not a viable option in networks with high volume of traffic. The best approach is to include the ELFF (Extended Log File Format) header "x-auth-credential-type" in the access-log.
After adding the field, the access-log will show as below.
2017-11-28 03:53:44 419 10.0.0.1 - - - - NTLM None - authentication_failed PROXIED "Technology/Internet"
2017-11-28 03:53:45 503 10.0.0.1 testuser - purple.com 220.127.116.11 NTLM None - - PROXIED "Technology/Internet"
2017-11-28 03:53:47 426 10.0.0.1 - - - - NTLM None - authentication_failed PROXIED "Web Ads/Analytics"
2017-11-28 03:53:47 243 10.0.0.1 testuser - d.adroll.com 18.104.22.168 NTLM None - - PROXIED "Web Ads/Analytics"
2017-11-28 03:53:50 489 10.0.0.1 testuser - d.adroll.com 22.214.171.124 NTLM None - - PROXIED "Web Ads/Analytics"