We do it through DUO's Authentication Proxy that integrates with an existing RADIUS server (we use Microsoft's Network Policy Server as the RADIUS server).
Essentially the DUO Proxy can be a Radius Server and server AD Requests.
The DUO Support exists, because XG has in V18 a Radius Timeout.
DUO generate the request to wait until the user confirms. In XGv17, this was 6 Sec until the request is denied. In V18, you can configure this timeout up to 60 sec.
The doc would be: Follow the DUO Doc to get a Radius server. Implement the Radius server into XG and configure the proper Timeout value.
Personally, if you haven't already, I would get XG working directly with the RADIUS server first to check that part is working and configured correctly. Then introduce DUO Authentication Proxy. It just makes it easier to get the different parts of the configuration right rather than trying to do it all as one job.
