There are LOTS of reasons you could be getting this end result.

Since you mention Duo Authentication proxy and you're on a free plan I have assumed you are setting up the RADIUS config for your FTD.

Your best first step would be to enable debug logging at the Duo Authentication Proxy to see what is happening...
- Does the Duo proxy server receive the incoming RADIUS request from the FTD?
- Does AD authentication succeed (if you are using radius_server_auto with ad_client pointing to your DC)?
- Does the Duo proxy successfully make a POST to the Duo service preauth endpoint and get a response indicating the user can authenticate?
- Does the Duo proxy follow that with a POST to auth to start a MFA request?
- If so, what is the result?

It is worth mentioning that Duo administrator users and Duo end-users are distinct types of users. Activating Duo Mobile for your admin account does not also activate it for you as an end. user. The end user must exist separately in Duo and have its own separate Duo Mobile activation for push to work (this point gets missed sometimes).

These articles will help you:

https://help.duo.com/s/article/1126
https://help.duo.com/s/article/2953

Please don't paste your entire log here. If you want to share a snippet be sure to redact sensitive info like your usernames, server IPs (if they use public addressing), and Duo integration keys and API host name.

> When I log in with the user at AD, it's successful without prompting for the second authentication.

I am not sure why you would expect a Duo auth here. Duo does not directly protect AD logins.