pairing procedure "authentication requirement"

Can you post the pcap file as an attachment ?

Sorry, I do not know what pcap file mean?Did you mean sniffer's captured image?

The reason why I am very confused because:

If I make central's MITM = 1, IO cap = BLE_GAP_IO_CAPS_KEYBOARD_DISPLAY, peripheral's MITM = 0, IO cap = BLE_GAP_IO_CAPS_NONE

central will send Pairing Failed command with the error code "Authentication Requirements." These are all the information I get from sniffer

My understanding is that "sufficient security properties" is defined by the application.

When a peripheral gets a pairing request (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the central. See this MSC.

When a central gets a pairing response (BLE_GAP_EVT_SEC_PARAMS_REQUEST) it can call:

sd_ble_gap_sec_params_reply(conn_handle, BLE_GAP_SEC_STATUS_AUTH_REQ,...,...) if it doesn't like the IO capabilities of the peripheral. See this MSC.

At first look it doesn't seem like this is supported by the Peer Manager.

Thank you very much for your reply.

If I want to follow my BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H page 2346 to write my program.

When IO cap is found insufficient Pairing Failed, then I can only give up peer manager, using the original BLE_GAP_EVT_SEC_PARAMS_REQUEST?

Device manager to meet my needs? Or I can only write one to manage peer address, LTK, etc.?

Give up Peer Manager? Do you mean to still use Peer Manager, but replying to the BLE_GAP_EVT_SEC_PARAMS_REQUEST directly yourself? Then you must at least be sure not to forward the BLE_GAP_EVT_SEC_PARAMS_REQUEST event to the Peer Manager, and still it might be complications, I'm not sure. Haven't tested.