I had the exact problem Roger describes: occasionally a disconnect of my VPN and then unable to reconnect, with error message 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

His consideration was the same as mine, it could not be configuration or else it would have consistently worked or not. Roger traced it to a DNS issue:

Eventually I was able to isolate the issue to a periodic problem with the RRAS server not being able to connect to the Active Directory server for account authentication.  One of the reason codes occasionally generated in the security event log was:

The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

The cause of the problem ended up being very simple:  The primary DNS of the RRAS server was no longer pointing at the domain controller.  Changing the primary DNS to the domain controller and setting the secondary DNS to an external server (the primary google 8.8.8.8 DNS in this case) eliminated the issue.

Thanks to Roger for taking the time to post that, it probably saved me a couple of afternoons debugging this…