You are correct; for 802.1X authenticated SSIDs, the controller advertising the SSID needs to do the authentication. You can then send the user through the tunnel; but if you need the authentication to happen at the remote controller; MultiZone in AOS8 might be a better solution.
In short, L2 security is handled at the internal controller; L3 security can be done on either internal or anchor/DMZ.