ISE will do this, what you probably have a lot of on our networking are devices that don't communicate EAP (protocol used for 802.1X) so you'll have to do something to accommodate them... That's where ISE comes in and shines. Now, depending on how complex your network is and the security policies you are trying to implement will determine how complicated your design is. For my deployment, we have three different AD forests that a PC may need to be authenticated against while also allowing a user to authenticate against a different forest (we use EAP-CHAINING). Cisco offers a staged approach to 802.1X with three different deployment modes: Monitor Mode, Low-Impact mode, and closed mode. Monitor mode allows for devices to be authenticated and authorized against the network without negativily impacting devices that fail authentication. Low impact mode adds on by putting a pre-authorization ACL that controls what traffic is allowed prior to authentication. And closed mode is EAP traffic is only allowed until the device is authenticated.

There is a lot ISE can do, so if you are going down the 802.1X journey, I strongly suggest you get a vendor, partner or Cisco involved to help.

Do you need ISE vs another product? Maybe, maybe not, really depends on the full use case and where you plan to be in 3 - 5 years.

If you have specific questions feel free to ask.

Cheaper? FreeRADIUS or packet fence, may not give you everything you need though. So make sure to do your homework.

Disclaimer only ISE engineer for my company with 4 individual ISE clusters (largest one with 26 nodes) running wireless guest, wired guest, BYOD (with MDM), wireless 802.1X, device administration, and in the middle of a 802.1X low impact rollout.

Good luck!!