SecureID works fine with UAC. The FW would then not authenticate you to the Radius server, but the IC would authenticate you to the RSA box. You could then either use the UAC agent on your workstations or use agentless access through a web browser. Then we can do either SourceIP to the FW or do individual VPN's from the endpoints to the FW. Also, uac integrates with 802.1x capable switches for even more security.