Clairfy something here.
Are you saying you have 2 proxies chained and squid is authenticating?
Client -> Squid -> MWG -> Internet
you are not allowed to do this. Only the first proxy can do browser authication.
Yes, this (Client > Squid > MWG > Internet) is the configuration. I am not aware why this should be forbidden. Is there any part in the documentation stating this issue?
And why should it be working (allowed or not) with MWG6 but not with MWG7?
It is not a restriction of MWG, per se, but a restriction with the HTTP protocol. It's forbidden in the RFC.
The only suggestion is to somehow put the username into an X-Authenticated-User: and X-Authenticated-Groups: header in the request and have MWG strip those out and use them.
Unfortunately, i don't think Squid and insert custom headers like that, but 2 MWGs in a row can.