If Tunneled Node with HA is required, either you need to use redundant Mobility Controllers using VRRP or redundant Mobility Controllers with one configured as primary and the other as the backup. If the Tunneled Node cannot get to a controller, there is no fail open.
The Mobility Access Switches natively support the same authentication types as the controllers, UDRs, 802.1x, MAC-Auth and Captive Portal so you don't have to use Tunneled Node to bring authentication to the platform.