The tunneling function must be supported by the switch ASIC. Currently only switches below support tunneld node (port / user based).
Port based: 2920, 3800, 3810, 5400R, 2930M, 2930F.
User based: 2930F, 2930M, 5400R, 3810.
You can start with downloadable or programmable ACL via radius attribute on the current installed switches, and move over the user based tunneling when you start replacing switches.