diff --git a/src/rsn_supp/preauth.c b/src/rsn_supp/preauth.c
index d0c43f464..a7ca2ed8b 100644
--- a/src/rsn_supp/preauth.c
+++ b/src/rsn_supp/preauth.c
@@ -49,6 +49,15 @@ void pmksa_candidate_free(struct wpa_sm *sm)
 }
 
 
+static int rsn_preauth_key_mgmt(int akmp)
+{
+	return !!(akmp & (WPA_KEY_MGMT_IEEE8021X |
+			  WPA_KEY_MGMT_IEEE8021X_SHA256 |
+			  WPA_KEY_MGMT_IEEE8021X_SUITE_B |
+			  WPA_KEY_MGMT_IEEE8021X_SUITE_B_192));
+}
+
+
 static void rsn_preauth_receive(void *ctx, const u8 *src_addr,
 				const u8 *buf, size_t len)
 {
@@ -311,10 +320,7 @@ void rsn_preauth_candidate_process(struct wpa_sm *sm)
 	if (sm->preauth_eapol ||
 	    sm->proto != WPA_PROTO_RSN ||
 	    wpa_sm_get_state(sm) != WPA_COMPLETED ||
-	    (sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SHA256 &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B &&
-	     sm->key_mgmt != WPA_KEY_MGMT_IEEE8021X_SUITE_B_192)) {
+	    !rsn_preauth_key_mgmt(sm->key_mgmt)) {
 		wpa_msg(sm->ctx->msg_ctx, MSG_DEBUG, "RSN: not in suitable "
 			"state for new pre-authentication");
 		return; /* invalid state for new pre-auth */
@@ -488,6 +494,9 @@ void rsn_preauth_scan_result(struct wpa_sm *sm, const u8 *bssid,
 		      !(ie.capabilities & WPA_CAPABILITY_PREAUTH)))
 		return;
 
+	if (!rsn_preauth_key_mgmt(ie.key_mgmt))
+		return;
+
 	/* Give less priority to candidates found from normal scan results. */
 	pmksa_candidate_add(sm, bssid, PMKID_CANDIDATE_PRIO_SCAN,
 			    ie.capabilities & WPA_CAPABILITY_PREAUTH);