I haven't heard anything official, but from back-channel sources I've heard that CDA is dead. Cisco has not done their customer base the courtesy of announcing this nor have they done the courtesy of informing their customer base of the supported way forward, which appears to be ISE. People with inside knowledge and people who spend their time pouring over every Cisco product announcement are probably all over this, but the rest of us are not.

My impression here is that Cisco is pulling a bait-and-switch move: offering a very nice feature and then turning around and requiring you to purchase another product to make it work. Hopefully I'm very, very wrong about this. If I'm not, then this is the sort of business practice that makes us look much more closely at other vendors during our next refresh cycle - we would only stick with Cisco ASA if we had no reasonable alternative.

ISE-PIC (Identity Services Engine - Passive Identity Connector) has been available for several months now.

http://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/datasheet-c78-738846.html

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_00.html

It is the recommended and supported platform going forward. It is not free, but the list price is just US$1250 plus US$200 per year for full TAC support.

If you have a full ISE deployment, the features are all included in there as well.

We were told ICE-PIC wouldn't currently work with the WSAs and still have the WSA apply policies based on AD groups, at least a month ago now.

My understanding is that ISE-PIC is the "budget" way forward for WSA and ATA identity firewall, but that it's not ready to replace CDA yet.  The situation is a mess for the time being, because CDA is in an appallingly deep state of neglect. We're not impressed at all by the way Cisco is handling this.

Like you Erik, I am not impressed with how Cisco is handeling this. We now have to choose between removing Identity Firewall or staying on Windows AD 2012 indefenitly.

Allegedly ISE-PIC will resolve this issue eventually, and the street price of a pair (for redundancy) isn't going to break many budgets. But the amount of time between the release of Server 2016 and "eventually" is completely ridiculous, and the necessity of adding an additional paid component to maintain existing functionality is sketchy. 

This is arguable worse than the situation with Symantec adding support for Windows 2012 to BackupExec, and comparisons with Symantec are seldom flattering.

No they are still not. It also looks like WSA and CWS are going to go EOL, assumingly with CDA as well.

Very late, but finally they added support for Windows 2016 in CDA Patch 6.

https://www.cisco.com/c/en/us/td/docs/security/ibf/cda_10/release_notes/cda10_rn.html#pgfId-189162

Wow, this was unexpected. Tested and surprisingly it works with Windows Server 2016. Just read the documentation.

This solved an issue we had with IPv6 with CDA using ISE's syslogs as the identity provider, as the syslogs with IPv6 addresses were not parsed.

CDA however has its shortcomings

1. Looking at Windows Event Logs you will get the IP address used when the user logs in. Not a great idea when your clients are dual stack. You will usually only get the IPv6 address. You don't really have control of how the workstation communicates, so if it communicates with a IPv4 only enabled device you don't have identity
2. IP Filter Exclusions don't work with IPv6. Tried adding a IPv6 subnet but it won't validate the input

Other than that the Windows Server 2016 support was welcomed considering there is no alternative from Cisco for a client using ASA and recent Windows Server versions.