diff --git a/octaviaclient/osc/v2/constants.py b/octaviaclient/osc/v2/constants.py
index a3d8f39..2963e5c 100644
--- a/octaviaclient/osc/v2/constants.py
+++ b/octaviaclient/osc/v2/constants.py
@@ -71,7 +71,8 @@ LISTENER_ROWS = (
     'timeout_member_data',
     'timeout_tcp_inspect',
     'updated_at',
-    'client_ca_tls_container_ref')
+    'client_ca_tls_container_ref',
+    'client_authentication')
 
 LISTENER_COLUMNS = (
     'id',
diff --git a/octaviaclient/osc/v2/listener.py b/octaviaclient/osc/v2/listener.py
index a9ded5a..bf70faf 100644
--- a/octaviaclient/osc/v2/listener.py
+++ b/octaviaclient/osc/v2/listener.py
@@ -23,6 +23,7 @@ from octaviaclient.osc.v2 import constants as const
 from octaviaclient.osc.v2 import utils as v2_utils
 
 PROTOCOL_CHOICES = ['TCP', 'HTTP', 'HTTPS', 'TERMINATED_HTTPS', 'UDP']
+CLIENT_AUTH_CHOICES = ['NONE', 'OPTIONAL', 'MANDATORY']
 
 
 class CreateListener(command.ShowOne):
@@ -141,6 +142,14 @@ class CreateListener(command.ShowOne):
             help="The URI to the key manager service secrets container "
                  "containing the CA certificate for TERMINATED_TLS listeners."
         )
+        parser.add_argument(
+            '--client-authentication',
+            metavar='{' + ','.join(CLIENT_AUTH_CHOICES) + '}',
+            choices=CLIENT_AUTH_CHOICES,
+            type=lambda s: s.upper(),  # case insensitive
+            help="The TLS client authentication verify options for "
+                 "TERMINATED_TLS listeners."
+        )
 
         return parser
 
@@ -370,7 +379,14 @@ class SetListener(command.Command):
             help="The URI to the key manager service secrets container "
                  "containing the CA certificate for TERMINATED_TLS listeners."
         )
-
+        parser.add_argument(
+            '--client-authentication',
+            metavar='{' + ','.join(CLIENT_AUTH_CHOICES) + '}',
+            choices=CLIENT_AUTH_CHOICES,
+            type=lambda s: s.upper(),  # case insensitive
+            help="The TLS client authentication verify options for "
+                 "TERMINATED_TLS listeners."
+        )
         return parser
 
     def take_action(self, parsed_args):
diff --git a/octaviaclient/osc/v2/utils.py b/octaviaclient/osc/v2/utils.py
index b829453..3875133 100644
--- a/octaviaclient/osc/v2/utils.py
+++ b/octaviaclient/osc/v2/utils.py
@@ -213,6 +213,7 @@ def get_listener_attrs(client_manager, parsed_args):
         'timeout_tcp_inspect': ('timeout_tcp_inspect', int),
         'client_ca_tls_container_ref': ('client_ca_tls_container_ref',
                                         _format_str_if_need_treat_unset),
+        'client_authentication': ('client_authentication', str),
     }
 
     _attrs = vars(parsed_args)
diff --git a/octaviaclient/tests/unit/osc/v2/constants.py b/octaviaclient/tests/unit/osc/v2/constants.py
index 1b9424e..69435e5 100644
--- a/octaviaclient/tests/unit/osc/v2/constants.py
+++ b/octaviaclient/tests/unit/osc/v2/constants.py
@@ -73,6 +73,7 @@ LISTENER_ATTRS = {
     "timeout_member_data": 50000,
     "timeout_tcp_inspect": 0,
     'client_ca_tls_container_ref': uuidutils.generate_uuid(dashed=True),
+    'client_authentication': "OPTIONAL",
 }
 
 LOADBALANCER_ATTRS = {
diff --git a/octaviaclient/tests/unit/osc/v2/test_listener.py b/octaviaclient/tests/unit/osc/v2/test_listener.py
index 8fdaf91..2fe6600 100644
--- a/octaviaclient/tests/unit/osc/v2/test_listener.py
+++ b/octaviaclient/tests/unit/osc/v2/test_listener.py
@@ -140,7 +140,9 @@ class TestListenerCreate(TestListener):
                    '--default-tls-container-ref',
                    self._listener.default_tls_container_ref,
                    '--client-ca-tls-container-ref',
-                   self._listener.client_ca_tls_container_ref]
+                   self._listener.client_ca_tls_container_ref,
+                   '--client-authentication',
+                   self._listener.client_authentication]
         verifylist = [
             ('loadbalancer', 'mock_lb_id'),
             ('name', self._listener.name),
@@ -150,7 +152,8 @@ class TestListenerCreate(TestListener):
             ('default_tls_container_ref',
              self._listener.default_tls_container_ref),
             ('client_ca_tls_container_ref',
-             self._listener.client_ca_tls_container_ref)
+             self._listener.client_ca_tls_container_ref),
+            ('client_authentication', self._listener.client_authentication)
         ]
 
         parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@@ -222,7 +225,9 @@ class TestListenerSet(TestListener):
                    '--default-tls-container-ref',
                    self._listener.default_tls_container_ref,
                    '--client-ca-tls-container-ref',
-                   self._listener.client_ca_tls_container_ref]
+                   self._listener.client_ca_tls_container_ref,
+                   '--client-authentication',
+                   self._listener.client_authentication]
         verifylist = [
             ('listener', self._listener.id),
             ('name', 'new_name'),
@@ -230,7 +235,9 @@ class TestListenerSet(TestListener):
             ('default_tls_container_ref',
                 self._listener.default_tls_container_ref),
             ('client_ca_tls_container_ref',
-             self._listener.client_ca_tls_container_ref)
+             self._listener.client_ca_tls_container_ref),
+            ('client_authentication',
+             self._listener.client_authentication)
         ]
 
         parsed_args = self.check_parser(self.cmd, arglist, verifylist)
@@ -243,7 +250,9 @@ class TestListenerSet(TestListener):
                     'default_tls_container_ref':
                         self._listener.default_tls_container_ref,
                     'client_ca_tls_container_ref':
-                        self._listener.client_ca_tls_container_ref
+                        self._listener.client_ca_tls_container_ref,
+                    'client_authentication':
+                        self._listener.client_authentication
                 }})