Yes, all three are potentially possible.
For your applications that do LDAP authentication, you would point them to an Authentication proxy configured with Duo LDAP.
Applications that use AD may also be pointed to the Duo LDAP application on the Authentication Proxy. If this AD directory is not the same one that the LDAP applications use, you can specify multiple LDAP authentication sources in the proxy config, and then multiple [ldap_server_auto] sections to use the different auth sources (if you wanted to power everything from just one Duo server - you could also have multiple Duo proxy servers for your different directories).
And finally, you can run RADIUS and LDAP listeners simultaneously on the same Authentication Proxy server as long as there is no port overlap (which is unlikely if you follow the port conventions for those protocols). Here are instructions for Cisco SSL VPN using RADIUS.
You may want to also review the full Duo Authentication Proxy Reference to see all the options.