You can use RADIUS via the Duo Authentication Proxy application on any Duo Edition.
You’ll want to follow our Palo Alto documentation all the way through the section that describes setting up the Authentication Profile.
Duo can only protect administrator logins that use an Authentication Profile. Not ones that live locally on the appliance.
You can add the Authentication Profile to an existing administrator, or add a new administrator (using sAMAccountName as the username) by going to Device > Administrators > Add.
Select the Authentication Profile that you created earlier to point towards the Duo Authentication Proxy.
One quick callout is that you have the option to change between [radius_server_auto], as seen in our documentation, and [radius_server_challenge]. What gives you is a more interactive UI when logging in, as opposed to an automatic Duo Push.
Let us know if you have any questions, or feel free to email our Technical Support Team at firstname.lastname@example.org.