I’m not the best one to answer, but here goes. It depends. We were not currently using a radius server, so we just used the duo auth proxy to ‘look’ like one, and it can do both the AD verification and 2FA of course. It is limited to what it can do with AD, but it can check for membership in an AD group, and a few other things I seem to recall. If you are using your Cisco ACS for other radius-type things (accounting/logging) or requiring specific attributes, then I would think you’d want to define/use the ‘radius_client’ for the initial auth. The docs are your friend. Duo Authentication Proxy Reference | Duo Security