Web Gateway can do RADIUS authentication on the back side, and most enterprise identity software can do RADIUS, so you should be able to do this. One of my colleagues said he was able to configure the admin GUI login to use McAfee One Time Password.
It is relatively easy to implement and has been done. You list several different types there.
Alladin, secureID etc are one time password mechanisms, essentially a token that either changes every x seconds or generates a new passcode when you hit a button. Those generally support radius.
You will want to use the authentication server and either do client/IP (store a username with an IP for a period of time) or cookie authentication. Direct proxy authentication is not possible as each new tcp/ip connection would require reauthenticating.
CAC and client certs work a little different as a public key is supplied based on some sort of hardware and possible pin. We call that x509, and there are rules in the library and several discussions on the subject.