diff --git a/sys/net80211/ieee80211_crypto_wep.c b/sys/net80211/ieee80211_crypto_wep.c
index 02be2f422335..8bbe446c2951 100644
--- a/sys/net80211/ieee80211_crypto_wep.c
+++ b/sys/net80211/ieee80211_crypto_wep.c
@@ -180,10 +180,22 @@ wep_encap(struct ieee80211_key *k, struct mbuf *m)
 {
 	struct wep_ctx *ctx = k->wk_private;
 	struct ieee80211com *ic = ctx->wc_ic;
+	struct ieee80211_frame *wh;
 	uint8_t *ivp;
 	int hdrlen;
+	int is_mgmt;
 
 	hdrlen = ieee80211_hdrspace(ic, mtod(m, void *));
+	wh = mtod(m, struct ieee80211_frame *);
+	is_mgmt = IEEE80211_IS_MGMT(wh);
+
+	/*
+	 * Check to see if IV is required.
+	 */
+	if (is_mgmt && (k->wk_flags & IEEE80211_KEY_NOIVMGT))
+		return 1;
+	if ((! is_mgmt) && (k->wk_flags & IEEE80211_KEY_NOIV))
+		return 1;
 
 	/*
 	 * Copy down 802.11 header and add the IV + KeyID.
@@ -228,9 +240,15 @@ wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
 	struct wep_ctx *ctx = k->wk_private;
 	struct ieee80211vap *vap = ctx->wc_vap;
 	struct ieee80211_frame *wh;
+	const struct ieee80211_rx_stats *rxs;
 
 	wh = mtod(m, struct ieee80211_frame *);
 
+	rxs = ieee80211_get_rx_params_ptr(m);
+
+	if ((rxs != NULL) && (rxs->c_pktflags & IEEE80211_RX_F_IV_STRIP))
+		goto finish;
+
 	/*
 	 * Check if the device handled the decrypt in hardware.
 	 * If so we just strip the header; otherwise we need to
@@ -249,6 +267,9 @@ wep_decap(struct ieee80211_key *k, struct mbuf *m, int hdrlen)
 	 */
 	ovbcopy(mtod(m, void *), mtod(m, uint8_t *) + wep.ic_header, hdrlen);
 	m_adj(m, wep.ic_header);
+
+finish:
+	/* XXX TODO: do we have to strip this for offload devices? */
 	m_adj(m, -wep.ic_trailer);
 
 	return 1;