diff --git a/clients/cli/generate-docs-nm-settings-nmcli.xml.in b/clients/cli/generate-docs-nm-settings-nmcli.xml.in
index 99b7a1165a..1044ae0d38 100644
--- a/clients/cli/generate-docs-nm-settings-nmcli.xml.in
+++ b/clients/cli/generate-docs-nm-settings-nmcli.xml.in
@@ -145,9 +145,9 @@
         <property name="phase1-auth-flags"
                   description="Specifies authentication flags to use in &quot;phase 1&quot; outer authentication using NMSetting8021xAuthFlags options. The individual TLS versions can be explicitly disabled. If a certain TLS disable flag is not set, it is up to the supplicant to allow or forbid it. The TLS options map to tls_disable_tlsv1_x settings. See the wpa_supplicant documentation for more details." />
         <property name="phase2-auth"
-                  description="Specifies the allowed &quot;phase 2&quot; inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized non-EAP &quot;phase 2&quot; methods are &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot;, &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  For TTLS this property selects one of the supported non-EAP inner methods: &quot;pap&quot;, &quot;chap&quot;, &quot;mschap&quot;, &quot;mschapv2&quot; while &quot;phase2-autheap&quot; selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: &quot;gtc&quot;, &quot;otp&quot;, &quot;md5&quot; and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both &quot;phase2-auth&quot; and &quot;phase2-autheap&quot; cannot be specified." />
         <property name="phase2-autheap"
-                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
+                  description="Specifies the allowed &quot;phase 2&quot; inner EAP-based authentication method when TTLS is specified in the &quot;eap&quot; property.  Recognized EAP-based &quot;phase 2&quot; methods are &quot;md5&quot;, &quot;mschapv2&quot;, &quot;otp&quot;, &quot;gtc&quot;, and &quot;tls&quot;. Each &quot;phase 2&quot; inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details." />
         <property name="phase2-ca-cert"
                   description="Contains the &quot;phase 2&quot; CA certificate if used by the EAP method specified in the &quot;phase2-auth&quot; or &quot;phase2-autheap&quot; properties. Certificate data is specified using a &quot;scheme&quot;; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate&apos;s DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string &quot;file://&quot; and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory." />
         <property name="phase2-ca-cert-password"
diff --git a/clients/common/settings-docs.h.in b/clients/common/settings-docs.h.in
index 5e1aaf447e..2c275a99c8 100644
--- a/clients/common/settings-docs.h.in
+++ b/clients/common/settings-docs.h.in
@@ -67,8 +67,8 @@
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPLABEL N_("Forces use of the new PEAP label during key derivation.  Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1.  Set to \"1\" to force use of the new PEAP label.  See the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE1_PEAPVER N_("Forces which PEAP version is used when PEAP is set as the EAP method in the \"eap\" property.  When unset, the version reported by the server will be used.  Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version.  To do so, this property may be set to \"0\" or \"1\" to force that specific PEAP version.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_ALTSUBJECT_MATCHES N_("List of strings to be matched against the altSubjectName of the certificate presented by the authentication server during the inner \"phase 2\" authentication. If the list is empty, no verification of the server certificate's altSubjectName is performed.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner non-EAP authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized non-EAP \"phase 2\" methods are \"pap\", \"chap\", \"mschap\", \"mschapv2\", \"gtc\", \"otp\", \"md5\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
-#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTH N_("Specifies the allowed \"phase 2\" inner authentication method when an EAP method that uses an inner TLS tunnel is specified in the \"eap\" property.  For TTLS this property selects one of the supported non-EAP inner methods: \"pap\", \"chap\", \"mschap\", \"mschapv2\" while \"phase2-autheap\" selects an EAP inner method.  For PEAP this selects an inner EAP method, one of: \"gtc\", \"otp\", \"md5\" and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. Both \"phase2-auth\" and \"phase2-autheap\" cannot be specified.")
+#define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_AUTHEAP N_("Specifies the allowed \"phase 2\" inner EAP-based authentication method when TTLS is specified in the \"eap\" property.  Recognized EAP-based \"phase 2\" methods are \"md5\", \"mschapv2\", \"otp\", \"gtc\", and \"tls\". Each \"phase 2\" inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT N_("Contains the \"phase 2\" CA certificate if used by the EAP method specified in the \"phase2-auth\" or \"phase2-autheap\" properties. Certificate data is specified using a \"scheme\"; three are currently supported: blob, path and pkcs#11 URL. When using the blob scheme this property should be set to the certificate's DER encoded data. When using the path scheme, this property should be set to the full UTF-8 encoded path of the certificate, prefixed with the string \"file://\" and ending with a terminating NUL byte. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. Note that enabling NMSetting8021x:system-ca-certs will override this setting to use the built-in path, if the built-in path is not a directory.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD N_("The password used to access the \"phase2\" CA certificate stored in \"phase2-ca-cert\" property. Only makes sense if the certificate is stored on a PKCS#11 token that requires a login.")
 #define DESCRIBE_DOC_NM_SETTING_802_1X_PHASE2_CA_CERT_PASSWORD_FLAGS N_("Flags indicating how to handle the \"phase2-ca-cert-password\" property.")
diff --git a/libnm-core/nm-setting-8021x.c b/libnm-core/nm-setting-8021x.c
index 9361f035d8..1b38aa1416 100644
--- a/libnm-core/nm-setting-8021x.c
+++ b/libnm-core/nm-setting-8021x.c
@@ -3998,19 +3998,24 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
     /**
      * NMSetting8021x:phase2-auth:
      *
-     * Specifies the allowed "phase 2" inner non-EAP authentication method when
-     * an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized non-EAP "phase 2" methods are
-     * "pap", "chap", "mschap", "mschapv2", "gtc", "otp", "md5", and "tls".
+     * Specifies the allowed "phase 2" inner authentication method when an EAP
+     * method that uses an inner TLS tunnel is specified in the #NMSetting8021x:eap
+     * property.  For TTLS this property selects one of the supported non-EAP
+     * inner methods: "pap", "chap", "mschap", "mschapv2" while
+     * #NMSetting8021x:phase2-autheap selects an EAP inner method.  For PEAP
+     * this selects an inner EAP method, one of: "gtc", "otp", "md5" and "tls".
      * Each "phase 2" inner method requires specific parameters for successful
      * authentication; see the wpa_supplicant documentation for more details.
+     * Both #NMSetting8021x:phase2-auth and #NMSetting8021x:phase2-autheap cannot
+     * be specified.
      **/
     /* ---ifcfg-rh---
      * property: phase2-auth
      * variable: IEEE_8021X_INNER_AUTH_METHODS(+)
      * values: "PAP", "CHAP", "MSCHAP", "MSCHAPV2", "GTC", "OTP", "MD5" and "TLS"
-     * description: Inner non-EAP authentication methods. IEEE_8021X_INNER_AUTH_METHODS
-     *   can contain values both for 'phase2-auth' and 'phase2-autheap' properties.
+     * description: Inner non-EAP authentication methods for TTLS or the inner EAP
+     *   authentication method for PEAP. IEEE_8021X_INNER_AUTH_METHODS can contain
+     *   values both for 'phase2-auth' and 'phase2-autheap' properties.
      * example: IEEE_8021X_INNER_AUTH_METHODS=PAP
      * ---end---
      */
@@ -4025,11 +4030,11 @@ nm_setting_802_1x_class_init(NMSetting8021xClass *klass)
      * NMSetting8021x:phase2-autheap:
      *
      * Specifies the allowed "phase 2" inner EAP-based authentication method
-     * when an EAP method that uses an inner TLS tunnel is specified in the
-     * #NMSetting8021x:eap property.  Recognized EAP-based "phase 2" methods are
-     * "md5", "mschapv2", "otp", "gtc", and "tls". Each "phase 2" inner method
-     * requires specific parameters for successful authentication; see the
-     * wpa_supplicant documentation for more details.
+     * when TTLS is specified in the #NMSetting8021x:eap property.  Recognized
+     * EAP-based "phase 2" methods are "md5", "mschapv2", "otp", "gtc", and
+     * "tls". Each "phase 2" inner method requires specific parameters for
+     * successful authentication; see the wpa_supplicant documentation for
+     * more details.
      **/
     /* ---ifcfg-rh---
      * property: phase2-autheap
diff --git a/src/core/devices/wifi/nm-device-iwd.c b/src/core/devices/wifi/nm-device-iwd.c
index 63c5255607..75b0f81aa5 100644
--- a/src/core/devices/wifi/nm-device-iwd.c
+++ b/src/core/devices/wifi/nm-device-iwd.c
@@ -789,7 +789,7 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
                 return FALSE;
             }
         } else if (!NM_IN_SET(security,
-                              NM_IWD_NETWORK_SECURITY_NONE,
+                              NM_IWD_NETWORK_SECURITY_OPEN,
                               NM_IWD_NETWORK_SECURITY_PSK)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -798,6 +798,9 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
     } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_AP)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
         if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_AP)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -805,13 +808,17 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
 
-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_PSK) || !s_wireless_sec
+            || !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "wpa-psk")) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
                                        "IWD backend only supports PSK authentication in AP mode");
             return FALSE;
         }
     } else if (nm_streq(mode, NM_SETTING_WIRELESS_MODE_ADHOC)) {
+        NMSettingWirelessSecurity *s_wireless_sec =
+            nm_connection_get_setting_wireless_security(connection);
+
         if (!(priv->capabilities & NM_WIFI_DEVICE_CAP_ADHOC)) {
             nm_utils_error_set_literal(error,
                                        NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -819,7 +826,10 @@ check_connection_compatible(NMDevice *device, NMConnection *connection, GError *
             return FALSE;
         }
 
-        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_NONE, NM_IWD_NETWORK_SECURITY_PSK)) {
+        if (!NM_IN_SET(security, NM_IWD_NETWORK_SECURITY_OPEN, NM_IWD_NETWORK_SECURITY_PSK)
+            || (s_wireless_sec
+                && !nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec),
+                              "wpa-psk"))) {
             nm_utils_error_set_literal(
                 error,
                 NM_UTILS_ERROR_CONNECTION_AVAILABLE_INCOMPATIBLE,
@@ -1740,7 +1750,7 @@ act_check_interface(NMDeviceIwd *self)
                                                       &security))
         goto failed;
 
-    if (security == NM_IWD_NETWORK_SECURITY_NONE) {
+    if (security == NM_IWD_NETWORK_SECURITY_OPEN) {
         g_dbus_proxy_call(proxy,
                           "StartOpen",
                           g_variant_new("(s)", ssid),
@@ -2234,6 +2244,7 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
     if (NM_IN_STRSET(mode, NULL, NM_SETTING_WIRELESS_MODE_INFRA)) {
         gs_unref_object GDBusProxy *network_proxy = NULL;
         NMWifiAP *                  ap            = priv->current_ap;
+        NMSettingWirelessSecurity * s_wireless_sec;
 
         if (!ap) {
             NM_SET_OUT(out_failure_reason, NM_DEVICE_STATE_REASON_SUPPLICANT_FAILED);
@@ -2335,6 +2346,15 @@ act_stage2_config(NMDevice *device, NMDeviceStateReason *out_failure_reason)
         if (!priv->cancellable)
             priv->cancellable = g_cancellable_new();
 
+        s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
+        if (s_wireless_sec
+            && nm_streq0(nm_setting_wireless_security_get_key_mgmt(s_wireless_sec), "owe")) {
+            _LOGI(LOGD_WIFI,
+                  "An OWE connection is requested but IWD may connect to either an OWE "
+                  "or unsecured network and there won't be any indication of whether "
+                  "encryption is in use -- proceed at your own risk!");
+        }
+
         /* Call Network.Connect.  No timeout because IWD already handles
          * timeouts.
          */
diff --git a/src/core/devices/wifi/nm-iwd-manager.c b/src/core/devices/wifi/nm-iwd-manager.c
index 3aa29e6d45..b4b019d3e5 100644
--- a/src/core/devices/wifi/nm-iwd-manager.c
+++ b/src/core/devices/wifi/nm-iwd-manager.c
@@ -533,7 +533,7 @@ mirror_connection(NMIwdManager *        self,
 
         switch (id->security) {
         case NM_IWD_NETWORK_SECURITY_WEP:
-        case NM_IWD_NETWORK_SECURITY_NONE:
+        case NM_IWD_NETWORK_SECURITY_OPEN:
         case NM_IWD_NETWORK_SECURITY_PSK:
             break;
         case NM_IWD_NETWORK_SECURITY_8021X:
@@ -642,7 +642,7 @@ mirror_connection(NMIwdManager *        self,
     case NM_IWD_NETWORK_SECURITY_WEP:
         key_mgmt = "none";
         break;
-    case NM_IWD_NETWORK_SECURITY_NONE:
+    case NM_IWD_NETWORK_SECURITY_OPEN:
         key_mgmt = NULL;
         break;
     case NM_IWD_NETWORK_SECURITY_PSK:
@@ -758,7 +758,7 @@ interface_added(GDBusObjectManager *object_manager,
             return;
 
         if (nm_streq(type_str, "open"))
-            security = NM_IWD_NETWORK_SECURITY_NONE;
+            security = NM_IWD_NETWORK_SECURITY_OPEN;
         else if (nm_streq(type_str, "psk"))
             security = NM_IWD_NETWORK_SECURITY_PSK;
         else if (nm_streq(type_str, "8021x"))
@@ -840,7 +840,7 @@ interface_removed(GDBusObjectManager *object_manager,
             return;
 
         if (nm_streq(type_str, "open"))
-            id.security = NM_IWD_NETWORK_SECURITY_NONE;
+            id.security = NM_IWD_NETWORK_SECURITY_OPEN;
         else if (nm_streq(type_str, "psk"))
             id.security = NM_IWD_NETWORK_SECURITY_PSK;
         else if (nm_streq(type_str, "8021x"))
@@ -1242,7 +1242,7 @@ nm_iwd_manager_get_ap_mirror_connection(NMIwdManager *self, NMWifiAP *ap)
     NMIwdManagerPrivate *  priv = NM_IWD_MANAGER_GET_PRIVATE(self);
     KnownNetworkData *     data;
     char                   name_buf[33];
-    KnownNetworkId         kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_NONE};
+    KnownNetworkId         kn_id = {name_buf, NM_IWD_NETWORK_SECURITY_OPEN};
     const guint8 *         ssid_bytes;
     gsize                  ssid_len;
     NM80211ApFlags         flags     = nm_wifi_ap_get_flags(ap);
diff --git a/src/core/devices/wifi/nm-wifi-utils.c b/src/core/devices/wifi/nm-wifi-utils.c
index 5887cafb96..aed236ccaa 100644
--- a/src/core/devices/wifi/nm-wifi-utils.c
+++ b/src/core/devices/wifi/nm-wifi-utils.c
@@ -923,7 +923,7 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection *        connection,
 
     s_wireless_sec = nm_connection_get_setting_wireless_security(connection);
     if (!s_wireless_sec) {
-        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_NONE);
+        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
         return TRUE;
     }
 
@@ -932,7 +932,9 @@ nm_wifi_connection_get_iwd_ssid_and_security(NMConnection *        connection,
 
     if (NM_IN_STRSET(key_mgmt, "none", "ieee8021x"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_WEP);
-    else if (nm_streq(key_mgmt, "wpa-psk"))
+    else if (nm_streq(key_mgmt, "owe"))
+        NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_OPEN);
+    else if (NM_IN_STRSET(key_mgmt, "wpa-psk", "sae"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_PSK);
     else if (nm_streq(key_mgmt, "wpa-eap"))
         NM_SET_OUT(security, NM_IWD_NETWORK_SECURITY_8021X);
diff --git a/src/core/devices/wifi/nm-wifi-utils.h b/src/core/devices/wifi/nm-wifi-utils.h
index 6646bca3ba..474bea41ce 100644
--- a/src/core/devices/wifi/nm-wifi-utils.h
+++ b/src/core/devices/wifi/nm-wifi-utils.h
@@ -13,7 +13,7 @@
 #include "nm-setting-8021x.h"
 
 typedef enum {
-    NM_IWD_NETWORK_SECURITY_NONE,
+    NM_IWD_NETWORK_SECURITY_OPEN,
     NM_IWD_NETWORK_SECURITY_WEP,
     NM_IWD_NETWORK_SECURITY_PSK,
     NM_IWD_NETWORK_SECURITY_8021X,