You want to identify or create a report based on the actual authentication method (Basic, NT Lan Manager - NTLM or Kerberos) negotiated by clients for authentication.

A real-time packet capture taken from a proxy will indicate the authentication method ultimately selected by clients. But it is a tedious process to search this information in capture for every user and a pcap buffer is typically too small to leave it running so it is not a viable option in networks with a high volume of traffic. The best approach is to include the ELFF (Extended Log File Format) header "x-auth-credential-type" in the access log.

After adding the field, the access log will show as below.

2024-1-28 03:53:44 419 <ip address> - - - -  NTLM None - authentication_failed PROXIED "Technology/Internet" 
2024-1-28 03:53:45 503 <ip address> testuser - example.com <ip address>  NTLM None - - PROXIED "Technology/Internet"
2024-1-28 03:53:47 426 <ip address> - - - -  NTLM None - authentication_failed PROXIED "Web Ads/Analytics" 
2024-1-28 03:53:47 243 <ip address> testuser - example2.com <ip address>  NTLM None - - PROXIED "Web Ads/Analytics" 
2024-1-28 03:53:50 489 <ip address> testuser - example3.com <ip address>  NTLM None - - PROXIED "Web Ads/Analytics"