How? That depends on what you want to do.
If you go through the documentation, it documents everything you need to put together a solution.
Or, give a clear and complete description of the problem. What do mean by MFA? What comes in the packet? How does FreeRADIUS verify the MFA / password?
If you describe the problem in detail, it is possible to give a detailed solution. If the description is vague and incomplete, then any help will necessarily be vague and incomplete.
These are good questions, What comes in the packet? It is PAP protocol - so Access-Request contains User-Name / User-Password
What do mean by MFA? It is under another investigation. For now it is password + otp . It may be one string password&otp or separate 2FA : password/otp
How does FreeRADIUS verify the MFA / password? I expect that rlm_rest module with backend server will check otp or even password + otp
If you go through the documentation, it documents everything you need to put together a solution. For now I'm stuck a bit with Proxy, which activates in the authorize section and skips authenticate section. It seems that verifying password&otp in other sections (except the authenticate section) does not allow us to follow the FreeRADIUS design flow.