I did MRA at a previous place before with a contractor.  At that time I felt MRA had more overhead with maintenance and additional resources for a server (vmware).  I would always run into issues with MRA whether it was QoS or just one way communication.  It had very low usage at the place I was at, so I did not spend too much time troubleshooting the MRA platform. 

Where I am now there are a lot more teleworkers that require an IP hard phone for home.  I suggested we do Jabber over VPN but infosec dept denied it.  I see VPN with less overhead, because I already have the Firepower FMC and ISE in place.  If I were to go MRA I'd need to allocate VMware resources and still have ISE authorizing the IP Phone.

In my sandbox UCS, Firepower, VPN environment I tested VPN on the phone profile.  It works great certificate base authentication.  I just need to add the layer of security with ISE.  

I was able to catch up with some CVDs.  I found one that discusses 802.1x for IP telephony.  Good stuff.  This looks like the route I need to take using the LSC similar to how I labbed the sandbox VPN.  I bet I just have a few steps to implement between UCS and ISE having the Firepower VPN profile do the authorization through ISE. 

Did folks move towards MRA because of the AnyConnect licensing? 

With MRA there is no correlation with ISE. The authentication is done by CM. The most user friendly UX is where a registration code, created in device configuration in CM, is used.

In the long run, MRA turns out to be much cheaper and easier to manage and maintain (once the FW rules are in place you are good to go).

I have had few deployments with MRA and they all work without any issues. You will need atleast 1 Public CA signed certificates, and access to Public DNS entries (for your org).  You could test your MRA config on the Collaboration Solutions Analyzer page to verify most of the configuration issues.

URL for CSA https://cway.cisco.com/csa-new/#/home

HTH

Wilson Samuel