Wired Intelligent Edge

Scenario:

Contractors/Guests are connecting to several layer3 MAS across a campus.  Their traffic needs to physically flow from the MAS to the data center controllers and out an unrouted VLAN with an ISP connection dedicated to guests.  Since the guests are sharing the same infrastructure as the company, logical separation of traffic is necessary.  To accomplish this, encapsulation will be used.  Which is appropriate in this case?  Tunneled node or L2 GRE to controller?

I've setup L2 GRE tunnels between controllers before to span a wireless network, but haven't tried this with a MAS yet.  I assume it would work just the same, but I also know I have tunneled mode available on the MAS.  As far as I can tell, it's very similar since GRE tunnels are used, but there is the benefit of having all of the policy enforcement done in one place - the controller.  That may not even factor in, so then what is the benefit in choose tunneled mode, as opposed to just setting up an L2 GRE?

If the devices aren't authenticating, do you see any benefit over one solution?

For instance, the tunneled node option allows a backup controller to be specified.  L2 GRE doesn't.  Would VRRP between the controllers be the solution?