You can setup replication between the 2 SEPM so that when 1 SEPM fails, the enforcer will communicate with the other SEPM.
RADIUS failover is supported by the Enforcer. On the enforcer settings on SEPM, you can input both of your ACS RADIUS servers into 1 RADIUS group and assign to the enforcer. The order of the ACS radius matters. The enforcer will first try to connect to the 1st ACS RADIUS on the list, if there is no response, it will try the 2nd one.
For LAN enforcer failover, it's done on the switch level. Since you only have 1 LAN enforcer, you can setup on the switch radius group such that LAN enforcer is 1st on the list, and your ACS radius is 2nd on the list. This way, if the LAN enforcer fails, the switch will contact your ACS for user authentication.