Index: hostapd-2021-02-20-59e9794c/src/ap/wpa_auth_ft.c
===================================================================
--- hostapd-2021-02-20-59e9794c.orig/src/ap/wpa_auth_ft.c
+++ hostapd-2021-02-20-59e9794c/src/ap/wpa_auth_ft.c
@@ -3067,6 +3067,7 @@ static int wpa_ft_process_auth_req(struc
 	size_t identity_len = 0, radius_cui_len = 0;
 	int use_sha384;
 	size_t pmk_r1_len, kdk_len;
+	struct os_reltime now;
 
 	*resp_ies = NULL;
 	*resp_ies_len = 0;
@@ -3185,10 +3186,19 @@ pmk_r1_derived:
 	os_memcpy(sm->pmk_r1, pmk_r1, pmk_r1_len);
 	sm->pmk_r1_len = pmk_r1_len;
 
-	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
-		wpa_printf(MSG_DEBUG, "FT: Failed to get random data for "
-			   "ANonce");
-		return WLAN_STATUS_UNSPECIFIED_FAILURE;
+	if (os_get_reltime(&now) < 0 ||
+	    os_reltime_expired(&now, &sm->ANonce_time, 1)) {
+		if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
+			wpa_printf(MSG_DEBUG, "FT: Failed to get random data for "
+				   "ANonce");
+			return WLAN_STATUS_UNSPECIFIED_FAILURE;
+		}
+		sm->ANonce_time.sec = now.sec;
+		sm->ANonce_time.usec = now.usec;
+		wpa_printf(MSG_INFO, "FT: ANonce was randomized");
+	} else {
+		wpa_printf(MSG_INFO, "FT: ANonce has not expired");
+		
 	}
 
 	wpa_hexdump(MSG_DEBUG, "FT: Received SNonce",
Index: hostapd-2021-02-20-59e9794c/src/ap/wpa_auth_i.h
===================================================================
--- hostapd-2021-02-20-59e9794c.orig/src/ap/wpa_auth_i.h
+++ hostapd-2021-02-20-59e9794c/src/ap/wpa_auth_i.h
@@ -54,6 +54,7 @@ struct wpa_state_machine {
 	bool MICVerified;
 	bool GUpdateStationKeys;
 	u8 ANonce[WPA_NONCE_LEN];
+	struct os_reltime ANonce_time;
 	u8 SNonce[WPA_NONCE_LEN];
 	u8 alt_SNonce[WPA_NONCE_LEN];
 	u8 alt_replay_counter[WPA_REPLAY_COUNTER_LEN];