diff --git a/builtin/logical/cassandra/backend.go b/builtin/logical/cassandra/backend.go
index efbb46c07..755082c08 100644
--- a/builtin/logical/cassandra/backend.go
+++ b/builtin/logical/cassandra/backend.go
@@ -21,12 +21,6 @@ func Backend() *framework.Backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
-		PathsSpecial: &logical.Paths{
-			Root: []string{
-				"config/*",
-			},
-		},
-
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathRoles(&b),
@@ -52,14 +46,15 @@ type backend struct {
 }
 
 type sessionConfig struct {
-	Hosts       string `json:"hosts" structs:"hosts"`
-	Username    string `json:"username" structs:"username"`
-	Password    string `json:"password" structs:"password"`
-	TLS         bool   `json:"tls" structs:"tls"`
-	InsecureTLS bool   `json:"insecure_tls" structs:"insecure_tls"`
-	Certificate string `json:"certificate" structs:"certificate"`
-	PrivateKey  string `json:"private_key" structs:"private_key"`
-	IssuingCA   string `json:"issuing_ca" structs:"issuing_ca"`
+	Hosts           string `json:"hosts" structs:"hosts"`
+	Username        string `json:"username" structs:"username"`
+	Password        string `json:"password" structs:"password"`
+	TLS             bool   `json:"tls" structs:"tls"`
+	InsecureTLS     bool   `json:"insecure_tls" structs:"insecure_tls"`
+	Certificate     string `json:"certificate" structs:"certificate"`
+	PrivateKey      string `json:"private_key" structs:"private_key"`
+	IssuingCA       string `json:"issuing_ca" structs:"issuing_ca"`
+	ProtocolVersion int    `json:"protocol_version" structs:"protocol_version"`
 }
 
 // DB returns the database connection.
diff --git a/builtin/logical/cassandra/path_config_connection.go b/builtin/logical/cassandra/path_config_connection.go
index b4ebd7076..6b34d6bae 100644
--- a/builtin/logical/cassandra/path_config_connection.go
+++ b/builtin/logical/cassandra/path_config_connection.go
@@ -55,10 +55,15 @@ backend can be directly passed into this parameter.
 If both this and "pem_bundle" are specified, this will
 take precedence.`,
 			},
+
+			"protocol_version": &framework.FieldSchema{
+				Type:        framework.TypeInt,
+				Description: `The protocol version to use. Defaults to 2.`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.ReadOperation:  b.pathConnectionRead,
+			logical.ReadOperation:   b.pathConnectionRead,
 			logical.UpdateOperation: b.pathConnectionWrite,
 		},
 
@@ -108,11 +113,12 @@ func (b *backend) pathConnectionWrite(
 	}
 
 	config := &sessionConfig{
-		Hosts:       hosts,
-		Username:    username,
-		Password:    password,
-		TLS:         data.Get("tls").(bool),
-		InsecureTLS: data.Get("insecure_tls").(bool),
+		Hosts:           hosts,
+		Username:        username,
+		Password:        password,
+		TLS:             data.Get("tls").(bool),
+		InsecureTLS:     data.Get("insecure_tls").(bool),
+		ProtocolVersion: data.Get("protocol_version").(int),
 	}
 
 	if config.InsecureTLS {
diff --git a/builtin/logical/cassandra/util.go b/builtin/logical/cassandra/util.go
index 394bfafd5..193de6661 100644
--- a/builtin/logical/cassandra/util.go
+++ b/builtin/logical/cassandra/util.go
@@ -39,6 +39,11 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
 		Password: cfg.Password,
 	}
 
+	clusterConfig.ProtoVersion = cfg.ProtocolVersion
+	if clusterConfig.ProtoVersion == 0 {
+		clusterConfig.ProtoVersion = 2
+	}
+
 	if cfg.TLS {
 		tlsConfig := &tls.Config{
 			InsecureSkipVerify: cfg.InsecureTLS,
diff --git a/website/source/docs/secrets/cassandra/index.html.md b/website/source/docs/secrets/cassandra/index.html.md
index a638d8bd8..8d0f903b4 100644
--- a/website/source/docs/secrets/cassandra/index.html.md
+++ b/website/source/docs/secrets/cassandra/index.html.md
@@ -104,20 +104,28 @@ subpath for interactive help output.
     TLS works as follows:<br /><br />
     <ul>
       <li>
-        • If `tls` is set to true, the connection will use TLS; this happens automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
+        • If `tls` is set to true, the connection will use TLS; this happens
+        automatically if `pem_bundle`, `pem_json`, or `insecure_tls` is set
       </li>
       <li>
-        • If `insecure_tls` is set to true, the connection will not perform verification of the server certificate; this also sets `tls` to true
+        • If `insecure_tls` is set to true, the connection will not perform
+        verification of the server certificate; this also sets `tls` to true
       </li>
       <li>
-        • If only `issuing_ca` is set in `pem_json`, or the only certificate in `pem_bundle` is a CA certificate, the given CA certificate will be used for server certificate verification; otherwise the system CA certificates will be used
+        • If only `issuing_ca` is set in `pem_json`, or the only certificate in
+        `pem_bundle` is a CA certificate, the given CA certificate will be used
+        for server certificate verification; otherwise the system CA
+        certificates will be used
       </li>
       <li>
-        • If `certificate` and `private_key` are set in `pem_bundle` or `pem_json`, client auth will be turned on for the connection
+        • If `certificate` and `private_key` are set in `pem_bundle` or
+        `pem_json`, client auth will be turned on for the connection
       </li>
     </ul>
-    `pem_bundle` should be a PEM-concatenated bundle of a private key + client certificate, an issuing CA certificate, or both. `pem_json` should contain the same information; for convenience, the JSON format is the same as that output by the issue command from the PKI backend.<br /><br />
-    This is a root protected endpoint.
+    `pem_bundle` should be a PEM-concatenated bundle of a private key + client
+    certificate, an issuing CA certificate, or both. `pem_json` should contain
+    the same information; for convenience, the JSON format is the same as that
+    output by the issue command from the PKI backend.
   </dd>
 
   <dt>Method</dt>
@@ -169,6 +177,11 @@ subpath for interactive help output.
         certificate. For convenience format is the same as the output of the
         `issue` command from the `pki` backend; see [the pki documentation](https://www.vaultproject.io/docs/secrets/pki/index.html).
       </li>
+      <li>
+        <span class="param">protocol_version</span>
+        <span class="param-flags">optional</span>
+        The CQL protocol version to use. Defaults to 2.
+      </li>
     </ul>
   </dd>
 
@@ -220,13 +233,6 @@ subpath for interactive help output.
         The lease value provided as a string duration
         with time suffix. Hour is the largest suffix.
       </li>
-      <li>
-        <span class="param">lease_grace_period</span>
-        <span class="param-flags">optional</span>
-        The lease grace period (time before revocation after the lease has
-        expired) provided as a string duration with time suffix. Hour is the
-        largest suffix.
-      </li>
     </ul>
   </dd>
 
@@ -264,7 +270,6 @@ subpath for interactive help output.
         "creation_cql": "CREATE USER...",
         "rollback_cql": "DROP USER...",
         "lease": "12h",
-        "lease_grace_period": "1h"
       }
     }
     ```