I don’t think you can do this with Duo.
While the Duo Authentication Proxy supports Duo-only authentication over RADIUS (where the Duo proxy does not attempt primary credential verification and only performs two-factor auth), IIRC there isn’t an option in RRAS to chain local primary authentication (for your non-AD users) to external secondary authentication (like adding Duo for 2FA-only via RADIUS).
Even Microsoft’s own MFA solution for RRAS requires use of an external RADIUS server (NPS) and Active Directory.
Granted, it’s been a few years since I looked closely at RRAS and that was enough to make me never want to look again. If someone in the community has more up-to-date info about chaining authentication in RRAS hopefully They’ll chime in.