Ran into an issue setting up both client VPN and anyconnect VPN using Duo MFA radius proxy service without using SSO, Active Directory or SAML. Went back and forth with both Meraki and Duo tech support who refused to communicate with each other which is frustrating since they are both owned by cisco. I am going to post a sample config file for Duo's radius proxy with notes in the hope it will save someone some time and headache.

; Complete documentation about the Duo Auth Proxy can be found here:
; https://duo.com/docs/authproxy_reference

; NOTE: After any changes are made to this file the Duo Authentication Proxy
; must be restarted for those changes to take effect.

; MAIN: Include this section to specify global configuration options.
; Reference: https://duo.com/docs/authproxy_reference#main-section
;[main]
[main]
debug=true


; CLIENTS: Include one or more of the following configuration sections.
; To configure more than one client configuration of the same type, append a
; number to the section name (e.g. [ad_client2])

[duo_only_client]

; SERVERS: Include one or more of the following configuration sections.
; To configure more than one server configuration of the same type, append a
; number to the section name (e.g. radius_server_auto1, radius_server_auto2)

[radius_server_auto]
ikey=From Duo Admin Site
skey=From Duo Admin Site
api_host=From Duo Admin Site
radius_ip_1=Local IP Address of your Meraki
radius_secret_1=You Create This, it must match in Meraki Dashboard
failmode=safe
client=duo_only_client
;The following line must be added to the conf file otherwise you cannoth enable
;RADIUS message-authenticator verification, which leaves your VPN vulnerable
force_message_authenticator=true  
port=1812

Also you need to set your Radius timeout to something like 60 seconds (or more) to allow your users to approve the connection in their duo mobile app. Your Meraki Dashboard should look like this (with the obvious substitutions)

Feel free to reach out to me if you have any questions.