Redhat 7, SSD, Local and Duo

Trying to get Redhat 7 working with SSD, Duo and local users. SSD integration with Active Directory is fine.
Using the following config - Duo works fine with AD users, but it never prompts for a password for local users. It just logs in if you already have the pubkey. If you don’t, it prompts you, then lets you just log in.

Feedback certainly welcome.

PubKeyAuthentication no
PasswordAuthentication no
UsePam yes
ChallengeResponseAuthentication yes
UseDNS no
AuthenticationMethods keyboard-interactive

auth required
##Duo 2FA Changes begin
#auth include password-auth
auth required
auth [success=3 default=ignore]
auth [success=1 default=ignore]
auth requisite
auth [success=1 default=ignore]
auth requisite
auth required
###End Duo Changes
account required
account include password-auth
password include password-auth close should be the first session rule
session required close
session required open should only be followed by sessions to be executed in the user context
session required open env_params
session required
session optional force revoke
session include password-auth