Securid on APM requires the use of a user-space process called "ACED". This process is shared in the system. APMD or APD (depending on version of APM) load the sdconf.rec configuration into ACED and request authentications based on that destination address and/or DNS names. ACED is a black box to us (we get this library from RSA).
ACED does not allow any sort of source address configuration at L4. Nor does it allow any destination address configuration at L4 or L7. The source address configuration in the AAA object of ACED allows for a source IP address to be set at L7.
So basically the destination addresses or hostnames of the RSA servers are set inside of sdconf.rec, but only ACED can determine what they are going to be, and they are non-configurable. It must be able to route this authentication traffic in Linux user space.
Most RSA servers support also RADIUS protocol, which from a feature perspective to RSA is mostly equivalent, with the exception of: RSA+RADIUS does not support Adaptive Authentication, and there is some trouble configuring this with secondary node addresses, so the authentication packet source IP at L4 and L7 must match with the source IP defined in the Agent Host record. RADIUS protocol's advantage is that it's not secret, it uses a standard documented protocol, and also it's possible to manually set the destination L4 address instead of RSA picking it for you and putting it in sdconf.rec automatically..