There is a way to add a field to the access logs of the proxy that will indicate the authentication type (BASIC, NTLM, etc) used by the client. However, Blue Coat Reporter is not currently designed to recognize this field and ignores it. You must post-process the access log files to get the data you seek.
The access log field name is cs-auth-type.
To add this field to the access logs, complete the following steps in the ProxySG appliance Management Console:
1) Select Configuration > Access Logging > Formats.
2) Create a NEW format with a name of your choosing.
2) Select the W3C ELFF option.
3) Delete the entire default format string and paste in the following string:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id cs-auth-type
Note: This is identical to the default bcreportermain_v1 format used for Reporter plus the cs-auth-type field added at the end.
4) Click OK; click Apply.
5) Select Configuration > Access Logging > Logs > General Settings.
6) From the Log: drop-down lopick the access log you're using and change the log format to use the new format you created. Accept the warning that displays.
The authentication type is now logged as the last field in the access log file, allowing you to get the data you need.