diff --git a/src/network.c b/src/network.c
index 4e7af27c..d7f472be 100644
--- a/src/network.c
+++ b/src/network.c
@@ -55,6 +55,7 @@
 #include "src/util.h"
 #include "src/erp.h"
 #include "src/handshake.h"
+#include "src/band.h"
 
 #define SAE_PT_SETTING "SAE-PT-Group%u"
 
@@ -774,6 +775,7 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 	struct network_config *config = info ? &info->config : NULL;
 	bool can_transition_disable = wiphy_can_transition_disable(wiphy);
 	struct ie_rsn_info rsn;
+	enum band_freq band;
 	int ret;
 
 	switch (security) {
@@ -785,6 +787,9 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return -ENOSYS;
 	}
 
+	if (!band_freq_to_channel(bss->frequency, &band))
+		return -ENOTSUP;
+
 	memset(&rsn, 0, sizeof(rsn));
 	ret = scan_bss_get_rsn_info(bss, &rsn);
 	if (ret < 0) {
@@ -797,6 +802,13 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		 * We assume the spec means us to check bit 3 here
 		 */
 		if (ret == -ENOENT && security == SECURITY_NONE) {
+			/*
+			 * 802.11ax 12.12.2 - STA shall not use Open System
+			 * authentication without encryption
+			 */
+			if (band == BAND_FREQ_6_GHZ)
+				return -EPERM;
+
 			if (!config)
 				return 0;
 
@@ -814,25 +826,20 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 		return ret;
 	}
 
-	if (!config || !config->have_transition_disable)
-		goto no_transition_disable;
+	if (!config || !config->have_transition_disable) {
+		if (band == BAND_FREQ_6_GHZ)
+			goto mfp_no_tkip;
 
-	if (!can_transition_disable) {
-		l_debug("HW not capable of Transition Disable, skip");
 		goto no_transition_disable;
 	}
 
-	/*
-	 * WPA3 Specification, v3, Section 8:
-	 * - Disable use of WEP and TKIP
-	 * - Disallow association without negotiation of PMF
-	 */
-	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
+	if (!can_transition_disable) {
+		if (band == BAND_FREQ_6_GHZ)
+			return -EPERM;
 
-	if (!rsn.group_management_cipher)
-		return -EPERM;
-
-	rsn.mfpr = true;
+		l_debug("HW not capable of Transition Disable, skip");
+		goto no_transition_disable;
+	}
 
 	/* WPA3-Personal */
 	if (test_bit(&config->transition_disable, 0)) {
@@ -851,6 +858,31 @@ int network_can_connect_bss(struct network *network, const struct scan_bss *bss)
 			return -EPERM;
 	}
 
+mfp_no_tkip:
+	/*
+	 * WPA3 Specification, v3, Section 8:
+	 * - Disable use of WEP and TKIP
+	 * - Disallow association without negotiation of PMF
+	 */
+	rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_TKIP;
+
+	if (!rsn.group_management_cipher)
+		return -EPERM;
+
+	rsn.mfpr = true;
+
+	/* 802.11ax Section 12.12.2 */
+	if (band == BAND_FREQ_6_GHZ) {
+		/* STA shall not use the following cipher suite selectors */
+		rsn.pairwise_ciphers &= ~IE_RSN_CIPHER_SUITE_USE_GROUP_CIPHER;
+
+		/* Basically the STA must use OWE, SAE, or 8021x */
+		if (!IE_AKM_IS_SAE(rsn.akm_suites) &&
+				!IE_AKM_IS_8021X(rsn.akm_suites) &&
+				(!(rsn.akm_suites & IE_RSN_AKM_SUITE_OWE)))
+			return -EPERM;
+	}
+
 no_transition_disable:
 	if (!wiphy_select_cipher(wiphy, rsn.pairwise_ciphers))
 		return -ENOTSUP;