We already have our clusters connected to Active Directory and I have been using my AD account for SSH logins for years.  Following the steps  https://docs.netapp.com/us-en/ontap/authentication/configure-cisco-duo-mfa-task.html#bypass-duo-authentication-for-users  in we ran:

security login duo create -vserver Cardinal -integration-key <ikey here> -secret-key <skey here> -apihost <apihost here>
<create the "Duo Users - NetApps" group in Active Directory>
security login duo group create -vserver Cardinal -group-name "Duo Users - NetApp"

However when I SSH to the cluster I am never prompted with a Duo challenge.  "security logon duo show" says that the status is "OK".  We then tried to make a new AD group just called duo_netapp but the same issue exists where we never receive the challenge.