diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 4c4b89992..a7569580f 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -958,6 +958,7 @@ int wpa_ft_parse_ies(const u8 *ies, size_t ies_len,
 					   "RSN IE: %d", ret);
 				return -1;
 			}
+			parse->rsn_capab = data.capabilities;
 			if (data.num_pmkid == 1 && data.pmkid)
 				parse->rsn_pmkid = data.pmkid;
 			parse->key_mgmt = data.key_mgmt;
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index e83d6887a..cb511ff0b 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -453,6 +453,7 @@ struct wpa_ft_ies {
 	size_t r0kh_id_len;
 	const u8 *rsn;
 	size_t rsn_len;
+	u16 rsn_capab;
 	const u8 *rsn_pmkid;
 	const u8 *tie;
 	size_t tie_len;
diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
index 7e8b523e4..f698ff4eb 100644
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -597,6 +597,14 @@ int wpa_ft_process_response(struct wpa_sm *sm, const u8 *ies, size_t ies_len,
 		return -1;
 	}
 
+#ifdef CONFIG_IEEE80211W
+	if (sm->mfp == 2 && !(parse.rsn_capab & WPA_CAPABILITY_MFPC)) {
+		wpa_printf(MSG_INFO,
+			   "FT: Target AP does not support PMF, but local configuration requires that");
+		return -1;
+	}
+#endif /* CONFIG_IEEE80211W */
+
 	os_memcpy(sm->r1kh_id, parse.r1kh_id, FT_R1KH_ID_LEN);
 	wpa_hexdump(MSG_DEBUG, "FT: R1KH-ID", sm->r1kh_id, FT_R1KH_ID_LEN);
 	wpa_hexdump(MSG_DEBUG, "FT: SNonce", sm->snonce, WPA_NONCE_LEN);