Use 3rd party MFA

I have IPA/IdM setup in a POC on RHEL 7 (latest). Working with Windows AD. However we are migrating to a DUO for MFA on everything. I want to be able to use this with RHEL IPA/IdM. However everything that I am reading says that I need to put a FreeRADIUS server in front of my jump host. I have also learned that I need to do krb5 authentication with FreeRADIUS in order to achieve 2FA using DUO.

Has anyone done this?

Have you configured it in this manner? Or in another manner to make it work?
Either way, how?

I have got FreeRADIUS talking to LDAP AND talking to Kerberos. But not both.