So,
Fail through is ONLY for if you have multiple authentication sources that have different user databases. If you simply have multiple radius servers that point to the same database, it is inefficient, because upon a username or password failure, it will check all of them.
It is less restrictive, if you have CPPM to put multiple authentication sources and make decisions based on that, than to use failthrough on the controller.
For example, if you have two domains, join CPPM to both of them and add both as authentication sources and CPPM will go through them sequentially. That would eliminate the need to have termination, and put a server certificate on the controller. As soon as you pass more than one controller for redundancy or capacity, this makes even more sense. You would only need a certificate on CPPM for radius, vs. a server cert for each controller.
Last, but not least, if you have a CPPM cluster, and all your CPPM servers are pointing to the same backend database like AD, do NOT enable failthrough. If you have all your CPPM servers in the server group, it will try the first one and it will only go onto the next one if the first one fails to respond. If you enable failthrough, it will register negative hits on ALL your servers, and that is inefficient. That will delay the client erroring out, which is essential for good performance.