No, well, I think it might be possible but not without a little help from a couple of Duo applications.
This guide will get you going:
https://duo.com/docs/syncing_users_from_active_directoryYou wouldn't need to add the mfatoken to the username.
The (very basic) flow would be:
User authenticates on switch/router
TACACS or RADIUS request is sent CPPM
CPPM sends request to Duo Authentication Proxy
Duo Authentication Proxy sends request to Duo
Duo sends MFA request to users MFA device (smartphone I assume)
User accepts MFA request & gains access to switch/router