Hi,
I have tried to replicate your scenario from the information you have provided (though it's still quite vague). Can you confirm if attached picture represents your current deployment?
If that picture depicts correct scenario, below should be the list of events:
1. A client should try to connect to the network (automatically in case of hotspot 2.0 is enabled or manually in case you are using Plain EAP-SIM Authentication).
2. Your Access Points are connected to Airport Local, it will handle your communication with the Radius Server and terminate your session. Your Local Controllers will communicate with your AAA servers to authenticate users and these Locals will be added as clients on your AAA servers.
3. As I understand from the description, you also a L2 firewall after DMZ that swaps the authentication VLAN. So effectively, I assume your gateway should be positioned as: DMZ-->Firewall->Gateway. Everything will be L2 between Airport Local and gateway. Your firewall will flip or swap your authentication vlan at egress interface to isolcate your Core Network from direct external access. Obviously this traffic will flow through GRE tunnel towards DMZ and you have to allow that VLAN over your GRE.
4. Once your traffic reaches your gateway to reach AAA, it will be routed accordingly. AAA will validate EIP-SIM credentials and return traffic will follow same path. So, your supplicant will be end users, authenticator will be Airport Local and authentication server will be AAA server.
5. Once user authenticates successfully, user should be able to acquire IP Address and you should be able to see his session on Airport Local Controller.
Your DMZ will just be carrying authentication traffic and user traffic to your DC via GRE tunnel and firewall will be isolating your core network from direct outside access. Authentication traffic needs to be passed through firewall to avoid external controllers (I believe you dont own the Airport Controllers) have direct access to your Core network and client traffic (Post authentication) should take normal path as other EAP-SIM users are taking in your network.