diff --git a/components/wpa_supplicant/src/ap/wpa_auth.c b/components/wpa_supplicant/src/ap/wpa_auth.c
index d1b40bb1c8..19a73246f9 100644
--- a/components/wpa_supplicant/src/ap/wpa_auth.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth.c
@@ -2381,7 +2381,7 @@ static int wpa_gtk_update(struct wpa_authenticator *wpa_auth,
             group->GTK[group->GN - 1], group->GTK_len);
 
 #ifdef CONFIG_IEEE80211W
-    if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION) {
+    if (wpa_auth_pmf_enabled(&wpa_auth->conf)) {
         len = wpa_cipher_key_len(wpa_auth->conf.group_mgmt_cipher);
         memcpy(group->GNonce, group->Counter, WPA_NONCE_LEN);
         inc_byte_array(group->Counter, WPA_NONCE_LEN);
@@ -2577,7 +2577,7 @@ static int wpa_group_config_group_keys(struct wpa_authenticator *wpa_auth,
         ret = -1;
 
 #ifdef CONFIG_IEEE80211W
-    if (wpa_auth->conf.ieee80211w != NO_MGMT_FRAME_PROTECTION &&
+    if (wpa_auth_pmf_enabled(&wpa_auth->conf) &&
         wpa_auth_set_key(wpa_auth, group->vlan_id, WIFI_WPA_ALG_IGTK,
                  broadcast_ether_addr, group->GN_igtk,
                  group->IGTK[group->GN_igtk - 4],
diff --git a/components/wpa_supplicant/src/ap/wpa_auth.h b/components/wpa_supplicant/src/ap/wpa_auth.h
index 7a27fd3675..000f93cbb1 100644
--- a/components/wpa_supplicant/src/ap/wpa_auth.h
+++ b/components/wpa_supplicant/src/ap/wpa_auth.h
@@ -310,5 +310,10 @@ void wpa_auth_pmksa_remove(struct wpa_authenticator *wpa_auth,
 			    const u8 *sta_addr);
 void wpa_auth_set_rsn_selection(struct wpa_state_machine *sm, const u8 *ie,
                                size_t len);
+static inline bool wpa_auth_pmf_enabled(struct wpa_auth_config *conf)
+{
+       return conf->ieee80211w != NO_MGMT_FRAME_PROTECTION ||
+               conf->rsn_override_mfp != NO_MGMT_FRAME_PROTECTION;
+}
 
 #endif /* WPA_AUTH_H */
diff --git a/components/wpa_supplicant/src/ap/wpa_auth_ie.c b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
index 9e85b801ad..45f7593110 100644
--- a/components/wpa_supplicant/src/ap/wpa_auth_ie.c
+++ b/components/wpa_supplicant/src/ap/wpa_auth_ie.c
@@ -751,7 +751,7 @@ wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	}
 #endif /* CONFIG_SAE */
 
-	if (wpa_auth->conf.ieee80211w == NO_MGMT_FRAME_PROTECTION ||
+	if (!wpa_auth_pmf_enabled(&wpa_auth->conf) ||
 	    !(data.capabilities & WPA_CAPABILITY_MFPC))
 		sm->mgmt_frame_prot = 0;
 	else