IPFire or proxy server function to prompt for password?

We installed IPFire to prevent attacks from the Internet.
That has worked great.
However, I have not explored the extent of funtions available in IPFire.

Management now wants to restrict internal network users from accessing the Internet without first supplying a password.

I suspect the ability to prompt users for a password before allowing access to the Internet is a function that is more appropriately in a proxy server than it would be in a firewall.

While I don’t know all that IPFire can do, my impression is that the ability to prompt for a password would be an network application layer function.
Applying the concept of network layer models, my understanding is that IPFire’s functionality is at the network layers below what would be required to prompt users for passwords (i.e. at the application layer).

Am I correct about that?

Hey Tom,
welcome to the IPFire Community! It is possible to setup authentication for web proxy. Have al look at this: https://wiki.ipfire.org/configuration/network/proxy/wui_conf/auth
here you get a nice overview pf the supported authentication methods and how to configure them.
Hope this helps