diff --git a/components/wpa_supplicant/src/ap/ieee802_11.c b/components/wpa_supplicant/src/ap/ieee802_11.c
index 15a6b4a603..38a71d190c 100644
--- a/components/wpa_supplicant/src/ap/ieee802_11.c
+++ b/components/wpa_supplicant/src/ap/ieee802_11.c
@@ -403,6 +403,57 @@ static int sae_status_success(struct hostapd_data *hapd, u16 status_code)
 }
 
 
+static int sae_is_group_enabled(struct hostapd_data *hapd, int group)
+{
+    int *groups = NULL;
+    int default_groups[] = { 19, 0 };
+    int i;
+
+    if (!groups) {
+        groups = default_groups;
+    }
+
+    for (i = 0; groups[i] > 0; i++) {
+        if (groups[i] == group)
+            return 1;
+    }
+
+    return 0;
+}
+
+
+static int check_sae_rejected_groups(struct hostapd_data *hapd,
+				     struct sae_data *sae)
+{
+    const struct wpabuf *groups;
+    size_t i, count;
+    const u8 *pos;
+
+    if (!sae->tmp)
+        return 0;
+    groups = sae->tmp->peer_rejected_groups;
+    if (!groups)
+        return 0;
+
+    pos = wpabuf_head(groups);
+    count = wpabuf_len(groups);
+    for (i = 0; i < count; i++) {
+        int enabled;
+        u16 group;
+
+        group = WPA_GET_LE16(pos);
+        pos += 2;
+        enabled = sae_is_group_enabled(hapd, group);
+        wpa_printf(MSG_DEBUG, "SAE: Rejected group %u is %s",
+                  group, enabled ? "enabled" : "disabled");
+        if (enabled)
+            return 1;
+    }
+
+    return 0;
+}
+
+
 int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
                     u8 *buf, size_t len, u8 *bssid,
                     u16 auth_transaction, u16 status)
@@ -496,6 +547,11 @@ int handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
             goto remove_sta;
         }
 
+        if (check_sae_rejected_groups(hapd, sta->sae)) {
+            resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+            goto reply;
+        }
+
         if (resp != WLAN_STATUS_SUCCESS) {
             goto reply;
         }
diff --git a/components/wpa_supplicant/src/common/sae.c b/components/wpa_supplicant/src/common/sae.c
index 37b918230c..bc703444cd 100644
--- a/components/wpa_supplicant/src/common/sae.c
+++ b/components/wpa_supplicant/src/common/sae.c
@@ -2049,8 +2049,11 @@ static int sae_parse_rejected_groups(struct sae_data *sae,
 
 	wpa_hexdump(MSG_DEBUG, "SAE: Possible elements at the end of the frame",
 		    *pos, end - *pos);
-	if (!sae_is_rejected_groups_elem(*pos, end))
+	if (!sae_is_rejected_groups_elem(*pos, end)) {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 		return WLAN_STATUS_SUCCESS;
+	}
 
 	epos = *pos;
 	epos++; /* skip IE type */
@@ -2139,6 +2142,9 @@ u16 sae_parse_commit(struct sae_data *sae, const u8 *data, size_t len,
 		res = sae_parse_rejected_groups(sae, &pos, end);
 		if (res != WLAN_STATUS_SUCCESS)
 			return res;
+	} else {
+		wpabuf_free(sae->tmp->peer_rejected_groups);
+		sae->tmp->peer_rejected_groups = NULL;
 	}
 
 	/* Optional Anti-Clogging Token Container element */