Redhat 7, SSD, Local and Duo

Trying to get Redhat 7 working with SSD, Duo and local users. SSD integration with Active Directory is fine.
Using the following config - Duo works fine with AD users, but it never prompts for a password for local users. It just logs in if you already have the pubkey. If you don’t, it prompts you, then lets you just log in.

Feedback certainly welcome.

/etc/ssh/sshd_config:
PubKeyAuthentication no
PasswordAuthentication no
UsePam yes
ChallengeResponseAuthentication yes
UseDNS no
AuthenticationMethods keyboard-interactive

/etc/pam.d/sshd:
#%PAM-1.0
auth required pam_sepermit.so
##Duo 2FA Changes begin
#auth include password-auth
auth required pam_env.so
auth [success=3 default=ignore] pam_localuser.so
auth [success=1 default=ignore] pam_sss.so
auth requisite pam_unix.so
auth [success=1 default=ignore] pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
###End Duo Changes
account required pam_nologin.so
account include password-auth
password include password-auth
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth