diff --git a/src/libtls/tls.h b/src/libtls/tls.h
index a426d7618..5c06686b7 100644
--- a/src/libtls/tls.h
+++ b/src/libtls/tls.h
@@ -96,6 +96,8 @@ enum tls_purpose_t {
 	TLS_PURPOSE_EAP_TLS,
 	/** outer authentication and protection in EAP-TTLS */
 	TLS_PURPOSE_EAP_TTLS,
+	/** EAP-TTLS with client authentication */
+	TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH,
 };
 
 /**
diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c
index 26e4dfa41..a12944af1 100644
--- a/src/libtls/tls_crypto.c
+++ b/src/libtls/tls_crypto.c
@@ -926,6 +926,7 @@ tls_crypto_t *tls_crypto_create(tls_t *tls)
 			build_cipher_suite_list(this, FALSE);
 			break;
 		case TLS_PURPOSE_EAP_TTLS:
+		case TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH:
 			/* MSK PRF ASCII constant label according to EAP-TTLS RFC 5281 */
 			this->msk_label = "ttls keying material";
 			build_cipher_suite_list(this, TRUE);
diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index 4f988c603..77e26d6fa 100644
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -682,6 +682,7 @@ tls_server_t *tls_server_create(tls_t *tls,
 	switch (tls->get_purpose(tls))
 	{
 		case TLS_PURPOSE_EAP_TLS:
+		case TLS_PURPOSE_EAP_TTLS_CLIENT_AUTH:
 			this->request_peer_auth = TRUE;
 			break;
 		case TLS_PURPOSE_EAP_TTLS: