diff --git a/manifests/api.pp b/manifests/api.pp
index 4497e025..fcaaa597 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -43,10 +43,6 @@
 #   Should be an valid interger
 #   Defaults to '1000'.
 #
-# [*neutron_url*]
-#   (optional) The Neutron URL to be used for requests from ironic
-#   Defaults to 'http://127.0.0.1:9696/'
-#
 # [*admin_password*]
 #   (required) The password to set for the ironic admin user in keystone
 #
@@ -72,6 +68,12 @@
 #   HTTPProxyToWSGI middleware.
 #   Defaults to $::os_service_default.
 #
+# DEPRECATED
+#
+# [*neutron_url*]
+#   (optional) The Neutron URL to be used for requests from ironic
+#   Defaults to undef
+#
 class ironic::api (
   $package_ensure               = 'present',
   $enabled                      = true,
@@ -80,9 +82,10 @@ class ironic::api (
   $port                         = '6385',
   $max_limit                    = '1000',
   $workers                      = $::os_service_default,
-  $neutron_url                  = 'http://127.0.0.1:9696/',
   $public_endpoint              = $::os_service_default,
   $enable_proxy_headers_parsing = $::os_service_default,
+  # DEPRECATED
+  $neutron_url                  = undef,
 ) inherits ironic::params {
 
   include ::ironic::deps
@@ -90,6 +93,13 @@ class ironic::api (
   include ::ironic::policy
   include ::ironic::api::authtoken
 
+  # For backward compatibility only, remove when neutron_url is removed
+  include ::ironic::neutron
+
+  if $neutron_url {
+    warning('Using ironic::api::neutron_url is deprecated, use ironic::neutron::api_endpoint instead')
+  }
+
   # Configure ironic.conf
   ironic_config {
     'api/host_ip':         value => $host_ip;
@@ -97,7 +107,6 @@ class ironic::api (
     'api/max_limit':       value => $max_limit;
     'api/api_workers':     value => $workers;
     'api/public_endpoint': value => $public_endpoint;
-    'neutron/url':         value => $neutron_url;
   }
 
   # Install package
diff --git a/manifests/init.pp b/manifests/init.pp
index 64a3c056..4c0ed6c6 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -360,6 +360,7 @@ class ironic (
   include ::ironic::params
 
   include ::ironic::glance
+  include ::ironic::neutron
 
   if $rabbit_user {
     warning('The rabbit_user parameter is deprecated. Please use rabbit_userid instead.')
diff --git a/manifests/neutron.pp b/manifests/neutron.pp
new file mode 100644
index 00000000..a5abd39a
--- /dev/null
+++ b/manifests/neutron.pp
@@ -0,0 +1,58 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: ironic::neutron
+#
+# [*api_endpoint*]
+#   (optional) The Neutron URL to be used for requests from ironic
+#   Defaults to $::os_service_default
+#
+# [*auth_type*]
+#   The authentication plugin to use when connecting to neutron.
+#   Defaults to 'password'
+#
+# [*auth_url*]
+#   The address of the keystone api endpoint.
+#   Defaults to $::os_service_default
+#
+# [*project_name*]
+#   The Keystone project name.
+#   Defaults to 'services'
+#
+# [*username*]
+#   The admin username for ironic to connect to neutron.
+#   Defaults to 'ironic'.
+#
+# [*password*]
+#   The admin password for ironic to connect to neutron.
+#   Defaults to $::os_service_default
+#
+class ironic::neutron (
+  $api_endpoint = $::os_service_default,
+  $auth_type    = 'password',
+  $auth_url     = $::os_service_default,
+  $project_name = 'services',
+  $username     = 'ironic',
+  $password     = $::os_service_default,
+) {
+
+  $api_endpoint_real = pick($::ironic::api::neutron_url, $api_endpoint)
+
+  ironic_config {
+    'neutron/url':          value => $api_endpoint_real;
+    'neutron/auth_type':    value => $auth_type;
+    'neutron/username':     value => $username;
+    'neutron/password':     value => $password, secret => true;
+    'neutron/auth_url':     value => $auth_url;
+    'neutron/project_name': value => $project_name;
+  }
+}
diff --git a/releasenotes/notes/neutron-manifest-8fbe400720ffc60e.yaml b/releasenotes/notes/neutron-manifest-8fbe400720ffc60e.yaml
new file mode 100644
index 00000000..f8ad6e41
--- /dev/null
+++ b/releasenotes/notes/neutron-manifest-8fbe400720ffc60e.yaml
@@ -0,0 +1,17 @@
+---
+features:
+  - |
+    New manifest "ironic::neutron" to set parameters for connecting to neutron.
+    Please set credentials for ironic to access neutron using this manifest,
+    otherwise ironic falls back to using "keystone_authtoken" credentials,
+    which are deprecated for this purpose.
+deprecations:
+  - |
+    Parameter "ironic::api::neutron_url" is deprecated, use
+    "ironic::neutron::api_endpoint" instead.
+upgrade:
+  - |
+    Value of "ironic::neutron::api_endpoint" parameter (former
+    "ironic::api::neutron_url") was reset to the service default. The default
+    of "127.0.0.1:9696" was often wrong, without it ironic will fetch the
+    corrent one from the service catalog.
diff --git a/spec/classes/ironic_api_spec.rb b/spec/classes/ironic_api_spec.rb
index 1581811e..09ff0e65 100644
--- a/spec/classes/ironic_api_spec.rb
+++ b/spec/classes/ironic_api_spec.rb
@@ -69,7 +69,6 @@ describe 'ironic::api' do
       is_expected.to contain_ironic_config('api/max_limit').with_value(p[:max_limit])
       is_expected.to contain_ironic_config('api/api_workers').with_value('<SERVICE DEFAULT>')
       is_expected.to contain_ironic_config('api/public_endpoint').with_value('<SERVICE DEFAULT>')
-      is_expected.to contain_ironic_config('neutron/url').with_value('http://127.0.0.1:9696/')
       is_expected.to contain_ironic_config('oslo_middleware/enable_proxy_headers_parsing').with_value('<SERVICE DEFAULT>')
     end
 
diff --git a/spec/classes/ironic_init_spec.rb b/spec/classes/ironic_init_spec.rb
index 41db8011..f656e954 100644
--- a/spec/classes/ironic_init_spec.rb
+++ b/spec/classes/ironic_init_spec.rb
@@ -72,6 +72,7 @@ describe 'ironic' do
     it { is_expected.to contain_class('ironic::params') }
 
     it { is_expected.to contain_class('ironic::glance') }
+    it { is_expected.to contain_class('ironic::neutron') }
 
     it 'installs ironic-common package' do
       is_expected.to contain_package('ironic-common').with(
diff --git a/spec/classes/ironic_neutron_spec.rb b/spec/classes/ironic_neutron_spec.rb
new file mode 100644
index 00000000..88c4ddee
--- /dev/null
+++ b/spec/classes/ironic_neutron_spec.rb
@@ -0,0 +1,81 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for ironic::neutron
+#
+
+require 'spec_helper'
+
+describe 'ironic::neutron' do
+
+  let :default_params do
+    { :auth_type    => 'password',
+      :project_name => 'services',
+      :username     => 'ironic',
+    }
+  end
+
+  let :params do
+    {}
+  end
+
+  shared_examples_for 'ironic neutron configuration' do
+    let :p do
+      default_params.merge(params)
+    end
+
+    it 'configures ironic.conf' do
+      is_expected.to contain_ironic_config('neutron/url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('neutron/auth_type').with_value(p[:auth_type])
+      is_expected.to contain_ironic_config('neutron/auth_url').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_ironic_config('neutron/project_name').with_value(p[:project_name])
+      is_expected.to contain_ironic_config('neutron/username').with_value(p[:username])
+      is_expected.to contain_ironic_config('neutron/password').with_value('<SERVICE DEFAULT>').with_secret(true)
+    end
+
+    context 'when overriding parameters' do
+      before :each do
+        params.merge!(
+            :api_endpoint => 'http://neutron.example.com',
+            :auth_type    => 'noauth',
+            :auth_url     => 'http://example.com',
+            :project_name => 'project1',
+            :username     => 'admin',
+            :password     => 'pa$$w0rd',
+        )
+      end
+
+      it 'should replace default parameter with new value' do
+        is_expected.to contain_ironic_config('neutron/url').with_value(p[:api_endpoint])
+        is_expected.to contain_ironic_config('neutron/auth_type').with_value(p[:auth_type])
+        is_expected.to contain_ironic_config('neutron/auth_url').with_value(p[:auth_url])
+        is_expected.to contain_ironic_config('neutron/project_name').with_value(p[:project_name])
+        is_expected.to contain_ironic_config('neutron/username').with_value(p[:username])
+        is_expected.to contain_ironic_config('neutron/password').with_value(p[:password]).with_secret(true)
+      end
+    end
+
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like 'ironic neutron configuration'
+    end
+  end
+
+end