Hi ddipert, thanks for your answers.
1) I want the master to authenticate my guests: what about the database? I understand that I must fill the dB on Master, leave blank the dB on local(s). Have I to duplicate dB entries in hot-standby or there's a sort of "syncronization"?
2) Both master and hot-standby controllers have two interfaces: one "Internal" and one "External". The "Internal" runs VRRP and downside connections to local(s) controllers (it's the interface that face to MPLS network...). The "External" is connected to Internet. On "External" interfaces actually I don't run VRRP.
3) Ok. The VRRP is still running and working: if I use the "Internal" VRRP logical address as a destination tunnel address on each local controller I make tunnels working even in the case of a master failure. That's ok. What it doesn't make sense is the way I have to manage the redundancy on interface vlan4000 that's actually not bounded to any physical port. At the moment I've created this interface only on the master controller and I use it as a default gateway for guests. In case of a master failure all GRE tunnels would correctly be terminated on VRRP "Internal" address but what would happen to guests default-gateway?
Hope this help to explain my headache.