diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index efbdc49ec..ac89c908e 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -1229,6 +1229,14 @@ void handle_auth_fils(struct hostapd_data *hapd, struct sta_info *sta,
 			wpa_printf(MSG_DEBUG,
 				   "FILS: Will send Authentication frame once the response from authentication server is available");
 			sta->flags |= WLAN_STA_PENDING_FILS_ERP;
+			/* Calculate pending PMKID here so that we do not need
+			 * to maintain a copy of the EAP-Initiate/Reauth
+			 * message. */
+			if (fils_pmkid_erp(wpa_auth_sta_key_mgmt(sta->wpa_sm),
+					   elems.fils_wrapped_data,
+					   elems.fils_wrapped_data_len,
+					   sta->fils_erp_pmkid) == 0)
+				sta->fils_erp_pmkid_set = 1;
 			return;
 #else /* CONFIG_NO_RADIUS */
 			resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
@@ -1388,6 +1396,24 @@ prepare_auth_resp_fils(struct hostapd_data *hapd,
 			goto fail;
 		}
 		pmk = pmk_buf;
+
+		if (sta->fils_erp_pmkid_set) {
+			/* TODO: get PMKLifetime from WPA parameters */
+			unsigned int dot11RSNAConfigPMKLifetime = 43200;
+
+			sta->fils_erp_pmkid_set = 0;
+			if (wpa_auth_pmksa_add2(
+				    hapd->wpa_auth, sta->addr,
+				    pmk, pmk_len,
+				    sta->fils_erp_pmkid,
+				    sta->session_timeout_set ?
+				    sta->session_timeout :
+				    dot11RSNAConfigPMKLifetime,
+				    wpa_auth_sta_key_mgmt(sta->wpa_sm)) < 0) {
+				wpa_printf(MSG_ERROR,
+					   "FILS: Failed to add PMKSA cache entry based on ERP");
+			}
+		}
 	} else if (pmksa) {
 		pmk = pmksa->pmk;
 		pmk_len = pmksa->pmk_len;
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index 81ad693bf..0a2305084 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -12,11 +12,11 @@
 #ifdef CONFIG_MESH
 /* needed for mesh_plink_state enum */
 #include "common/defs.h"
-#include "common/wpa_common.h"
 #endif /* CONFIG_MESH */
 
 #include "list.h"
 #include "vlan.h"
+#include "common/wpa_common.h"
 #include "common/ieee802_11_defs.h"
 
 /* STA flags */
@@ -226,10 +226,12 @@ struct sta_info {
 #ifdef CONFIG_FILS
 	u8 fils_snonce[FILS_NONCE_LEN];
 	u8 fils_session[FILS_SESSION_LEN];
+	u8 fils_erp_pmkid[PMKID_LEN];
 	u8 *fils_pending_assoc_req;
 	size_t fils_pending_assoc_req_len;
 	unsigned int fils_pending_assoc_is_reassoc:1;
 	unsigned int fils_dhcp_rapid_commit_proxy:1;
+	unsigned int fils_erp_pmkid_set:1;
 	struct wpabuf *fils_hlp_resp;
 	struct wpabuf *hlp_dhcp_discover;
 	void (*fils_pending_cb)(struct hostapd_data *hapd, struct sta_info *sta,