Yes it's possible to have 2FA along with ISE. In case of Cisco Duo, ISE integrates with Duo Authentication Proxy as External RADIUS Server. ISE sends RADIUS request to Duo Auth Proxy which does Primary authentication (Username/Password) with Active Directory or another RADIUS server. Once primary authentication is success, Duo Auth Proxy make API call to Duo Security service for Secondary authentication (Phone push for example) based on username configured on Duo as well as Active Directory (Both should match). Post successful secondary authentication, ISE sends back Access-Accept to NAD or user.
Please refer this link for detailed information, flow and config - https://www.cisco.com/c/en/us/support/docs/security/duo/217739-configure-duo-integration-with-active-di.html
-------------------------------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about ISE through our live Ask the Experts (ATXs) session. Check out Cisco ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-------------------------------------------------------------