In the vast majority of Duo Authentication Proxy installations for devices and services using RADIUS this is a true statement; there is no need to deploy a second RADIUS server in addition to the Duo Authentication Proxy server that handles RADIUS requests. The Duo Authentication proxy acts as a client to an upstream existing LDAP or RADIUS primary authentication service, and itself acts as a RADIUS or LDAP server to devices or applications.
The majority of our VPN customers already have an external authentication service in use, and now they want to add Duo 2FA to these logins. That’s why the instructions on the rest of the page reference configuring your primary authenticator in the Duo proxy. and then move on to configuring your device as a RADIUS client of the Duo proxy.
Even when someone is not using external primary authentication, many devices support adding separate RADIUS secondary authentication while using a different primary authentication source (which may even be the local DB of the device). For example, Cisco ASA, Juniper/Pulse SSL VPN, and Citrix NetScaler all support adding Duo as secondary authentication for MFA only. In these configurations it is also not necessary to configure a separate RADIUS server in addition to the Duo proxy.
It sounds like you were not already using an external service for authentication, and additionally that the UTM does not support combining local primary with secondary external authentication. This is not the typical use case and I apologize for the instructions seeming confusing or misleading for this reason.
I’m a bit confused now as well. It sounds like you do not have Active Directory (based on your other post), but set up NPS. I’m guessing that you configured the Duo proxy as a RADIUS client of that NPS server, and then pointed the UTM to the Duo proxy? Were you using UTM local authentication before? Did you recreate the local UTM users in NPS?
We don’t recommend using Duo as your only authenticator, so just trying to figure out what is providing primary authentication in this scenario.