1. Is there specific reason for configuring enet-vlan in the setup?
Usage of enet-vlan:
By default, the value is set to 1. The VLAN setting configured by this command is used for restricting the AP from sending
out tagged frames to clients connected on the SSID that has the same VLAN as the native VLAN of the upstream switch, to which the IAP is connected.
As per the topology, the client vlan is different from the native vlan of upstream switch.
2. Uplink Management vlan.
By default, traffic that is generated by an AP is untagged. The native VLAN of the trunk port that connects the AP must be functional. If the native VLAN of the trunk port to which an IAP is connected is a dummy VLAN, you might have to use a tagged VLAN on the port as the AP VLAN. In such a situation, the AP traffic must be tagged to ensure
that the IAP receives its IP address from the tagged AP VLAN and that all traffic that is generated by the AP is carried on the tagged AP VLAN.
As per the topology , AP's are working on native vlan itself.
Is it possible for you to remove enet-vlan/uplink mgmt vlan paramters & test the reachability to mgmt vlan from wireless clients ?