enforcerviper wrote

All AP's are plugged into a trunk port. (ie. tagged). PVID on switch port is set to 1.

The PVID defines the primary VLAN ID, sometimes also called native VLAN. The primary/native VLAN exists to handle untagged traffic even on trunk ports. Setting PVID to 1 on a trunk port means on most switches that tags of Ethernet frames with VID 1 will be removed on egress, i.e. become untagged (that's how a primary/native VLAN is supposed to work).

What's more, the TL-SG108E always removes tags with VID 1 on trunk ports on egress, since all ports are always (untagged) members of VLAN 1 on this switch. Switches without a fixed Default-VLAN allow assignment of any VLAN ID to be used as the native VLAN, so VID 1 can be configured to be tagged on trunk ports. Such switches even lets you override the semantics of the PVID on trunk ports designating a native VLAN.

Solution for Easy Smart Switches like the TL-SG108E: use VLAN 1 for untagged traffic only and another VLAN (!= 1) for mgmt, if the mgmt VLAN should use tagged frames.

WITHOUT Management network set to VLAN 1, the AP's will sometimes grab an IP from VLAN 1, or sometimes an IP from VLAN 2. Why is it getting an IP from VLAN 2?

Can't be answered without more information on how the DHCP server is connected to which switch. A picture of the network topology would be helpful.

If I plug a laptop into the same the switch port, I always get VLAN 1. (normal)

Since it uses untagged frames, doesn't it? Those frames will be assigned to the primary/native VLAN.

If I enable Managment network set to VLAN 1, the AP will not get an IP.

I guess because frames arrive tagged at the switch, but replies will be untagged and dropped by the EAP (AFAIK the EAP doesn't have the notion of a primary/native VLAN, but I didn't investigate further). You could test it with a switch or router which allows for VID 1-tagged frames on egress, i.e. not an Easy Smart Switch.

enforcerviper wrote

The issue can be replicated simply by using a TL-SG108E v1.0 and EAP225. I hope TP-LINK will release updated firmware, but I'm not holding my breath.

Never-ending story with the fixed Default_VLAN 1 of TL-SG105E and TL-SG108E/PE. I did give up trying to convince them that it is indeed a bad idea to use a fixed native VLAN.