It is relatively easy to implement and has been done. You list several different types there.
Alladin, secureID etc are one time password mechanisms, essentially a token that either changes every x seconds or generates a new passcode when you hit a button. Those generally support radius.
You will want to use the authentication server and either do client/IP (store a username with an IP for a period of time) or cookie authentication. Direct proxy authentication is not possible as each new tcp/ip connection would require reauthenticating.
CAC and client certs work a little different as a public key is supplied based on some sort of hardware and possible pin. We call that x509, and there are rules in the library and several discussions on the subject.