Our Sales Engineers have gotten this working before with a Cisco ISE via the following process. Please let us know if this works for you and we can look into making some documentation public in our KB:
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate RADIUS in the applications list. Click Protect this Application to get your integration key, secret key, and API hostname. See Getting Started for help.
Install the Duo Authentication Proxy
Configure the Proxy:
Start the Proxy by running: net start DuoAuthProxy
Login to Cisco ISE
Now change your Authentication Policy to use the External Identity Source you created for Duo. This is done under Work Centers > Device Administration > Device Admin Policy Sets.
Now configure the network device to talk TACACS+ to the Cisco ISE server. The key thing with the commands is that the authentication timeout for the network device is configured for 60 seconds. The default is 5 seconds.
Run the following:
tacacs-server login-timeout 60
tacacs-server host 10.10.1.1 timeout 60
More generally, here are two potential TACACS authentication flows leveraging the AuthProxy: