diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 742464aa4..613f3e3dc 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -17,6 +17,8 @@ ChangeLog for hostapd
 	  (IEEE 802.11w)
 	* added new "driver wrapper" for RADIUS-only configuration
 	  (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config)
+	* fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2)
+	  is enabled in configuration
 
 2008-08-10 - v0.6.4
 	* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
diff --git a/hostapd/wpa.h b/hostapd/wpa.h
index 74bea2712..567a8bfed 100644
--- a/hostapd/wpa.h
+++ b/hostapd/wpa.h
@@ -216,7 +216,7 @@ enum {
 	WPA_IE_OK, WPA_INVALID_IE, WPA_INVALID_GROUP, WPA_INVALID_PAIRWISE,
 	WPA_INVALID_AKMP, WPA_NOT_ENABLED, WPA_ALLOC_FAIL,
 	WPA_MGMT_FRAME_PROTECTION_VIOLATION, WPA_INVALID_MGMT_GROUP_CIPHER,
-	WPA_INVALID_MDIE
+	WPA_INVALID_MDIE, WPA_INVALID_PROTO
 };
 	
 int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
diff --git a/hostapd/wpa_auth_ie.c b/hostapd/wpa_auth_ie.c
index 3f6551fee..3ac9d6734 100644
--- a/hostapd/wpa_auth_ie.c
+++ b/hostapd/wpa_auth_ie.c
@@ -470,6 +470,12 @@ int wpa_validate_wpa_ie(struct wpa_authenticator *wpa_auth,
 	else
 		version = WPA_PROTO_WPA;
 
+	if (!(wpa_auth->conf.wpa & version)) {
+		wpa_printf(MSG_DEBUG, "Invalid WPA proto (%d) from " MACSTR,
+			   version, MAC2STR(sm->addr));
+		return WPA_INVALID_PROTO;
+	}
+
 	if (version == WPA_PROTO_RSN) {
 		res = wpa_parse_wpa_ie_rsn(wpa_ie, wpa_ie_len, &data);