--- ieee80211_ioctl.c	(revision 362465)
+++ ieee80211_ioctl.c	(working copy)
@@ -65,6 +65,18 @@ 
 	(IFNET_IS_UP_RUNNING((_vap)->iv_ifp) && \
 	 (_vap)->iv_roaming == IEEE80211_ROAMING_AUTO)
 
+#if __FreeBSD__
+#define	ieee80211_priv(CHECK, VAP, CMD) \
+	       priv_check(curthread, CHECK)
+#elif __NetBSD__
+#define	PRIV_NET80211_GETKEY	KAUTH_REQ_NETWORK_INTERFACE_GETPRIV
+#define	PRIV_NET80211_MANAGE	KAUTH_REQ_NETWORK_INTERFACE_SETPRIV
+#define	ieee80211_priv(CHECK, VAP, CMD) \
+		kauth_authorize_network(curlwp->l_cred, \
+		KAUTH_NETWORK_INTERFACE, \
+		CHECK, (VAP)?(VAP)->iv_ifp:NULL,(void*)CMD, NULL)
+#endif
+
 static const uint8_t zerobssid[IEEE80211_ADDR_LEN];
 static struct ieee80211_channel *findchannel(struct ieee80211com *,
 		int ieee, int mode);
@@ -106,7 +118,7 @@ 
 	ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
 	if (wk->wk_keyix == vap->iv_def_txkey)
 		ik.ik_flags |= IEEE80211_KEY_DEFAULT;
-	if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+	if (ieee80211_priv(PRIV_NET80211_GETKEY, vap, 0) == 0) {
 		/* NB: only root can read key data */
 		ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID];
 		ik.ik_keytsc = wk->wk_keytsc;
@@ -815,7 +827,7 @@ 
 			return EINVAL;
 		len = (u_int) vap->iv_nw_keys[kid].wk_keylen;
 		/* NB: only root can read WEP keys */
-		if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+		if (ieee80211_priv(PRIV_NET80211_GETKEY, vap, 0) == 0) {
 			bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len);
 		} else {
 			bzero(tmpkey, len);
@@ -3632,7 +3644,7 @@ 
 				(struct ieee80211req *) data);
 		break;
 	case SIOCS80211:
-		error = priv_check(curthread, PRIV_NET80211_MANAGE);
+		error = ieee80211_priv(PRIV_NET80211_MANAGE, vap, cmd);
 		if (error == 0)
 			error = ieee80211_ioctl_set80211(vap, cmd,
 					(struct ieee80211req *) data);