diff --git a/src/config.c b/src/config.c
index e38197d2..77dc0aea 100644
--- a/src/config.c
+++ b/src/config.c
@@ -72,7 +72,9 @@ static struct cfg_options available_options[] = {
 	{ .name = "pid-file", .type = OPTION_STRING, .mandatory = 0 },
 	{ .name = "socket-file", .type = OPTION_STRING, .mandatory = 1 },
 	{ .name = "banner", .type = OPTION_STRING, .mandatory = 0 },
+	/* this is alias for cisco-client-compat */
 	{ .name = "always-require-cert", .type = OPTION_BOOLEAN, .mandatory = 0 },
+	{ .name = "cisco-client-compat", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-utmp", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-dbus", .type = OPTION_BOOLEAN, .mandatory = 1 },
 	{ .name = "try-mtu-discovery", .type = OPTION_BOOLEAN, .mandatory = 0 },
@@ -231,6 +233,7 @@ unsigned j, mand;
 char** auth = NULL;
 unsigned auth_size = 0;
 unsigned prefix = 0;
+unsigned force_cert_auth;
 
 	pov = configFileLoad(file);
 	if (pov == NULL) {
@@ -328,7 +331,13 @@ unsigned prefix = 0;
 	READ_STRING("socket-file", config->socket_file_prefix);
 
 	READ_STRING("banner", config->banner);
-	READ_TF("always-require-cert", config->force_cert_auth, 1);
+	READ_TF("cisco-client-compat", config->cisco_client_compat, 0);
+	READ_TF("always-require-cert", force_cert_auth, 1);
+	if (force_cert_auth == 0) {
+		fprintf(stderr, "note that 'always-require-cert' was replaced by 'cisco-client-compat'\n");
+		config->cisco_client_compat = 1;
+	}
+
 	READ_TF("use-utmp", config->use_utmp, 1);
 	READ_TF("use-dbus", config->use_dbus, 0);
 	READ_TF("try-mtu-discovery", config->try_mtu, 0);
@@ -433,7 +442,7 @@ static void check_cfg( struct cfg_st *config)
 	}
 
 	if (config->auth_types & AUTH_TYPE_CERTIFICATE) {
-		if (config->force_cert_auth)
+		if (config->cisco_client_compat == 0)
 			config->cert_req = GNUTLS_CERT_REQUIRE;
 		else
 			config->cert_req = GNUTLS_CERT_REQUEST;
diff --git a/src/main-auth.c b/src/main-auth.c
index 0b4c27e4..ccb1b74e 100644
--- a/src/main-auth.c
+++ b/src/main-auth.c
@@ -168,7 +168,7 @@ static int check_user_group_status(main_server_st *s, struct proc_st* proc,
 		     int tls_auth_ok, const char* cert_user, const char* cert_group)
 {
 	if (s->config->auth_types & AUTH_TYPE_CERTIFICATE) {
-		if (tls_auth_ok == 0 && s->config->force_cert_auth != 0) {
+		if (tls_auth_ok == 0 && s->config->cisco_client_compat == 0) {
 			mslog(s, proc, LOG_INFO, "user '%s' presented no certificate", proc->username);
 			return -1;
 		}
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 9515b91f..c08ee3d6 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -331,9 +331,10 @@ route = 192.168.5.0/255.255.255.0
 
 # Unless set to false it is required for clients to present their
 # certificate even if they are authenticating via a previously granted
-# cookie. Legacy CISCO clients do not do that, and thus this option
-# should be set for them.
-#always-require-cert = false
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+#cisco-client-compat = false
 
 
 @end example
diff --git a/src/tlslib.c b/src/tlslib.c
index 908cbd93..88ff419a 100644
--- a/src/tlslib.c
+++ b/src/tlslib.c
@@ -132,7 +132,7 @@ unsigned tls_has_session_cert(struct worker_st * ws)
 	if (ws->cert_auth_ok)
 		return 1;
 
-	if (ws->config->force_cert_auth != 0) {
+	if (ws->config->cisco_client_compat == 0) {
 		return 0;
 	}
 
@@ -283,7 +283,7 @@ static int verify_certificate_cb(gnutls_session_t session)
 	/* notify gnutls to continue handshake normally */
 	return 0;
 fail:
-	if (ws->config->force_cert_auth != 0)
+	if (ws->config->cisco_client_compat == 0)
 		return GNUTLS_E_CERTIFICATE_ERROR;
 	else
 		return 0;
diff --git a/src/vpn.h b/src/vpn.h
index b674ffbd..b449a644 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -185,7 +185,9 @@ struct cfg_st {
 	unsigned use_utmp;
 	unsigned use_dbus; /* whether the D-BUS service is registered */
 	unsigned try_mtu; /* MTU discovery enabled */
-	unsigned force_cert_auth; /* always require client certificate */
+	unsigned cisco_client_compat; /* do not require client certificate, 
+	                               * and allow auth to complete in different
+	                               * TCP sessions. */
 	unsigned rate_limit_ms; /* if non zero force a connection every rate_limit milliseconds */
 	unsigned ping_leases; /* non zero if we need to ping prior to leasing */
 	
diff --git a/src/worker-auth.c b/src/worker-auth.c
index 674b3425..1ea48f85 100644
--- a/src/worker-auth.c
+++ b/src/worker-auth.c
@@ -383,7 +383,7 @@ int auth_cookie(worker_st * ws, void *cookie, size_t cookie_size)
 	char tmp_group[MAX_USERNAME_SIZE];
 
 	if ((ws->config->auth_types & AUTH_TYPE_CERTIFICATE)
-	    && ws->config->force_cert_auth != 0) {
+	    && ws->config->cisco_client_compat == 0) {
 		if (ws->cert_auth_ok == 0) {
 			oclog(ws, LOG_INFO,
 			      "no certificate provided for cookie authentication");