you cannot perform authentication on both, Squid and MWG. Instead you should forward the username to MWG. MWG can be used to obtain user groups from Active Directory via LDAP and use this to apply policies. To shift the username to MWG you should adjust the cache_peer directive. A while back I have used login=*:foo which caused Squid to sent a Proxy-Auth header with the original username followed by a "fake" password "foo".
On MWG I extraced the username and put it into Authentication.RawUsername. I think from there you can trigger Authentication.GetUserGroups to obtain the groups via LDAP, assuming the LDAP configuration is correct. This will fill the Authentication.UserGroups as required.
If I remember correctly I think I had set this up a while ago, so I assume it should work.
There is predefined ruleset 'Lookup Username From "Proxy-Authorization: Basic" Header' that does the trick.
Squid indeed sends base64 encoded header with username:foo, so your memory serves you well.
Message was edited by: aleksije on 12/22/12 1:08:40 AM CET