Yes, unless the RSA agent has the capability to handle the account requests (not the case, I believe). Or you can use ldap.
As a side note, I would recommend against using the proprietary RSA .so. Instead, use pam-radius or pam-ldap. Pam-radius should be just as easy to set up and configure and you get the added benefit of being able to switch two-factor authentication providers without having to do make any changes on your hosts. Here is a doc on how to do it:
http://www.wikidsystems.com/support/...-radius-how-to (written for our 2FA solution, but just ignore our bits).
The other benefit is including your directory in the authentication process for authorization. If you use radius, you can run send the transaction to AD or LDAP via the MS radius plugin NPS and Freeradius, respectively. This configuration means that any user that is disabled in the directory can no longer log in remotely either. You don't want to have to disable users in two places. Also, directory admins would not also need to be admins on your 2FA server.
HTH,
Nick