diff --git a/plugins/filter/filters.py b/plugins/filter/filters.py
index ac4017e0c..5e77ed12e 100644
--- a/plugins/filter/filters.py
+++ b/plugins/filter/filters.py
@@ -156,7 +156,7 @@ def split_newline_to_dict(self, string):
         return final_dict
 
     def listener_properties(self, listeners_dict, default_ssl_enabled,
-                            bouncy_castle_keystore, default_ssl_mutual_auth_enabled,
+                            bouncy_castle_keystore, default_ssl_client_authentication,
                             default_sasl_protocol, kafka_broker_truststore_path,
                             kafka_broker_truststore_storepass,
                             kafka_broker_keystore_path,
@@ -187,8 +187,7 @@ def listener_properties(self, listeners_dict, default_ssl_enabled,
                 final_dict['listener.name.' + listener_name + '.ssl.truststore.type'] = 'BCFKS'
                 final_dict['listener.name.' + listener_name + '.ssl.enabled.protocols'] = 'TLSv1.2,TLSv1.3'
 
-            if listeners_dict[listener].get('ssl_mutual_auth_enabled', default_ssl_mutual_auth_enabled):
-                final_dict['listener.name.' + listener_name + '.ssl.client.auth'] = 'required'
+                final_dict['listener.name.' + listener_name + '.ssl.client.auth'] = listeners_dict[listener].get('ssl_client_authentication', default_ssl_client_authentication)
 
             if self.normalize_sasl_protocol(listeners_dict[listener].get('sasl_protocol', default_sasl_protocol)) == 'PLAIN':
                 final_dict['listener.name.' + listener_name + '.sasl.enabled.mechanisms'] = 'PLAIN'
diff --git a/roles/variables/defaults/main.yml b/roles/variables/defaults/main.yml
index 8a4a25500..5afec8102 100644
--- a/roles/variables/defaults/main.yml
+++ b/roles/variables/defaults/main.yml
@@ -437,6 +437,7 @@ kafka_controller_listeners: "{
     'port': {{kafka_controller_port}},
     'ssl_enabled': {{kafka_controller_ssl_enabled|string|lower}},
     'ssl_mutual_auth_enabled': {{kafka_controller_ssl_mutual_auth_enabled|string|lower}},
+    'ssl_client_authentication': '{{kafka_controller_ssl_client_authentication|string|lower}}',
     'sasl_protocol': '{{kafka_controller_sasl_protocol}}'
   }
 }"
@@ -566,13 +567,24 @@ kafka_broker_default_listeners: "{
     'port': 9092,
     'ssl_enabled': {% if ccloud_kafka_enabled|bool %}true{% else %}{{ssl_enabled|string|lower}}{% endif %},
     'ssl_mutual_auth_enabled': {% if ccloud_kafka_enabled|bool %}false{% else %}{{ssl_mutual_auth_enabled|string|lower}}{% endif %},
-    'sasl_protocol': '{% if rbac_enabled|bool or oauth_enabled|bool %}OAUTH{% elif ccloud_kafka_enabled|bool %}PLAIN{% else %}{{sasl_protocol}}{% endif %}'
-  }{% if kafka_broker_configure_multiple_listeners|bool %},
+    'ssl_client_authentication': '{% if ccloud_kafka_enabled|bool %}none{% else %}{{ssl_client_authentication|string|lower}}{% endif %}',
+    'sasl_protocol': '{% if auth_mode in [\"ldap\", \"ldap_with_oauth\", \"oauth\"] %}OAUTH{% elif ccloud_kafka_enabled|bool %}PLAIN{% else %}{{sasl_protocol}}{% endif %}'
+  }{% if auth_mode == 'mtls' %},
+  'internal_token': {
+    'name': 'INTERNAL_TOKEN',
+    'port': 9088,
+    'ssl_enabled': true,
+    'ssl_mutual_auth_enabled': true,
+    'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
+    'sasl_protocol': 'OAUTH'
+  }{% endif %}
+  {% if kafka_broker_configure_multiple_listeners|bool %},
   'broker': {
     'name': 'BROKER',
     'port': 9091,
     'ssl_enabled': {{ssl_enabled|string|lower}},
     'ssl_mutual_auth_enabled': {{ssl_mutual_auth_enabled|string|lower}},
+    'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
     'sasl_protocol': '{{sasl_protocol}}'
   }{% if kafka_broker_configure_control_plane_listener|bool and not kraft_enabled|bool %},
   'controller': {
@@ -580,6 +592,7 @@ kafka_broker_default_listeners: "{
     'port': 9089,
     'ssl_enabled': {{ssl_enabled|string|lower}},
     'ssl_mutual_auth_enabled': {{ssl_mutual_auth_enabled|string|lower}},
+    'ssl_client_authentication': '{{ssl_client_authentication|string|lower}}',
     'sasl_protocol': '{{sasl_protocol}}'
   }{% endif %}{% endif %}
 }"
@@ -703,7 +716,14 @@ kafka_broker_rest_proxy_enabled: "{{confluent_server_enabled and not ccloud_kafk
 ### Authentication type to add to Kafka's embedded rest proxy or Admin API. Do not set when RBAC is enabled. Options: [basic, none]
 kafka_broker_rest_proxy_authentication_type: none
 
-kafka_broker_rest_proxy_listener_name: "{{ 'internal' if rbac_enabled else kafka_broker_inter_broker_listener_name }}"
+kafka_broker_rest_proxy_listener_name: >-
+  {%- if not rbac_enabled|bool -%}
+    {{ kafka_broker_inter_broker_listener_name }}
+  {%- elif rbac_enabled|bool and auth_mode == 'mtls' -%}
+    internal_token
+  {%- else -%}
+    internal
+  {%- endif -%}
 
 ### Use to register and identify your Kafka cluster in the MDS.
 kafka_broker_cluster_name: ""
diff --git a/roles/variables/vars/main.yml b/roles/variables/vars/main.yml
index 17b1f1de5..491a7715e 100644
--- a/roles/variables/vars/main.yml
+++ b/roles/variables/vars/main.yml
@@ -190,7 +190,7 @@ kafka_controller_properties:
       zookeeper.set.acl: 'true'
   broker_listener:
     enabled: "{{ sasl_protocol=='plain' }}" # might need to add for kerberos also in later release
-    properties: "{{  {'broker_listener': kafka_broker_listeners[kafka_broker_inter_broker_listener_name]} | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_mutual_auth_enabled, sasl_protocol,
+    properties: "{{  {'broker_listener': kafka_broker_listeners[kafka_broker_inter_broker_listener_name]} | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_client_authentication, sasl_protocol,
                     kafka_controller_truststore_path, kafka_controller_truststore_storepass, kafka_controller_keystore_path, kafka_controller_keystore_storepass, kafka_controller_keystore_keypass,
                     plain_jaas_config, kafka_controller_keytab_path, kafka_controller_kerberos_principal|default('kafka'), kerberos_kafka_controller_primary,
                     sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, false) }}"
@@ -274,7 +274,7 @@ kafka_controller_properties:
       confluent.oauth.groups.claim.name: "{{oauth_groups_claim}}"
   listeners:
     enabled: true
-    properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_mutual_auth_enabled, kafka_controller_sasl_protocol,
+    properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_client_authentication, kafka_controller_sasl_protocol,
                     kafka_controller_truststore_path, kafka_controller_truststore_storepass, kafka_controller_keystore_path, kafka_controller_keystore_storepass, kafka_controller_keystore_keypass,
                     plain_jaas_config, kafka_controller_keytab_path, kafka_controller_kerberos_principal|default('kafka'), kerberos_kafka_controller_primary,
                     sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, true, false) }}"
@@ -430,7 +430,7 @@ kafka_broker_properties:
       sasl.mechanism.controller.protocol: "{{kafka_controller_listeners['controller']['sasl_protocol'] | default(sasl_protocol) | confluent.platform.normalize_sasl_protocol}}"
   controller_listener:
     enabled: "{{ kraft_enabled|bool }}"
-    properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_mutual_auth_enabled, kafka_controller_sasl_protocol,
+    properties: "{{ kafka_controller_listeners | confluent.platform.listener_properties(kafka_controller_ssl_enabled, fips_enabled, kafka_controller_ssl_client_authentication, kafka_controller_sasl_protocol,
                     kafka_broker_truststore_path, kafka_broker_truststore_storepass, kafka_broker_keystore_path, kafka_broker_keystore_storepass, kafka_broker_keystore_keypass,
                     plain_jaas_config, kafka_broker_keytab_path, kafka_broker_kerberos_principal|default('kafka'), kerberos_kafka_broker_primary,
                     sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, false) }}"
@@ -739,7 +739,7 @@ kafka_broker_properties:
       confluent.oauth.groups.claim.name: "{{oauth_groups_claim}}"
   listeners:
     enabled: true
-    properties: "{{ kafka_broker_listeners | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_mutual_auth_enabled, sasl_protocol,
+    properties: "{{ kafka_broker_listeners | confluent.platform.listener_properties(ssl_enabled, fips_enabled, ssl_client_authentication, sasl_protocol,
                     kafka_broker_truststore_path, kafka_broker_truststore_storepass, kafka_broker_keystore_path, kafka_broker_keystore_storepass, kafka_broker_keystore_keypass,
                     plain_jaas_config, kafka_broker_keytab_path, kafka_broker_kerberos_principal|default('kafka'), kerberos_kafka_broker_primary,
                     sasl_scram_users_final.admin.principal, sasl_scram_users_final.admin.password, sasl_scram256_users_final.admin.principal, sasl_scram256_users_final.admin.password, rbac_enabled_public_pem_path, oauth_enabled, oauth_jwks_uri, oauth_expected_audience, oauth_sub_claim, rbac_enabled, false, idp_self_signed) }}"