Robert Williams‌,
Great question! At the most basic level they are the same, in that they are both used as a way to pass your authentication information to the server and receive a response that allows or denies access.
We refer to the RSA Authentication Agents for Windows, PAM, web servers, etc. as agents. They communicate with the RSA Authentication Manager server using the native SecurID authentication protocol on port 5500. In the Security Console you would create a new agent by selecting Access > Authentication Agent > Add New.
Clients typically refer to those devices that communicate via RADIUS to the Authentication Manager server on port 1812 for authentication and 1813 for accounting (older devices used 1645 and 1646 respectively). Implementation guides for our partner products that use RADIUS and that are certified to work with Authentication Manager are found on the RSA Ready space. RADIUS clients are created in the Security Console by selecting RADIUS > RADIUS Clients > Add New.
Here is the tricky part: when creating your RADIUS client you will see an option to save the client and create an associated RSA Authentication Agent. Why do that? Because with both entries the Authentication Manager server can now handle both RADIUS authentication or standard native SecurID from the device's IP address.
ETA: Also, the corresponding agent entry that matches with the RADIUS client allows greater control that a RADIUS client alone cannot do. It allows specific RADIUS profiles to be set per RADIUS client, as well as restricted access based on group membership.
Regards,
Erica
