The IEEE 802.11 Wireless LAN standard has been designed with very limited key management capabilities, using up to 4 static, long term, keys, shared by all the stations on the LAN. This design makes it quite difficult to fully revoke access from previously-authorized hosts. A host is fully revoked when it can no longer eavesdrop and decrypt traffic generated by other hosts on the wireless LAN. This paper proposes WEP*, a lightweight solution to the host-revocation problem. The key management in WEP* is in the style of pay-TV systems: The Access Point periodically generates new keys, and these keys are transferred to the hosts at authentication time. The fact that the keys are only valid for one re-key period makes host revocation possible, and scalable: A revoked host will simply not receive the new keys. Clearly, WEP* is not an ideal solution, and does not address all the security problems that IEEE 802.11 suffers from. However, what makes WEP* worthwhile is that it is 100% compatible with the existing standard. And, unlike other solutions, WEP* does not rely on external authentication servers. Therefore, WEP* is suitable for use even in the most basic IEEE 802.11 LAN configurations, such as those deployed in small or home offices. A WEP* prototype has been partially implemented using free, open-source tools.