FreeBSD

How to make distribution of AD users on freebsd proxy through different channels depending on the group?

There is an AD + DHCP server based on win2008R2 and a backup AD server on win2019. Replication is proceeding successfully and there is a desire to get rid of the old server and switch to the new one completely. But this is prevented by two proxy servers on freebsd 9. These proxy servers have squid 3 with authorization in AD in win2008r2 (the first one) and the second without authorization in the domain, but also squid3 + dansguardian. The first proxy allows administration through an unfiltered channel, the second one allows teachers through a filtered channel (through squid) and children through a white list (dansguardian). old squid cannot carry out authorization in win2019, because this protocol is already obsolete and does not work (NTLM). There is an idea (I feel that this is possible) to make one proxy server in which there will be 2 Internet channels and squid would distribute users, depending on the group in AD, who should go where.
Additional terms:

• The administration must go through the "gateway" (transparent squid), ip is distributed via dhcp, on an unfiltered channel
  
• Teachers must go through the "gateway" (transparent squid), ip is distributed via dhcp, on a filtered channel
  
• Students should only whitelist via a filtered channel
  

I rummaged through the whole Google, I didn’t find anything worthwhile (maybe I was looking in the wrong place). Tell me - is it possible? if yes, where to drip?