[eluser]boltsabre[/eluser]
I know it's been answered but thought I'd chuck my 2 cents worth in as well.
I personally do all my authentication as early as possible, way before models are called. Why?
1. There is no point in wasting your server power doing a bunch of stuff (looping over arrays, loading libraries, config file, helpers, writing various variables into memory, loading your model, calling functions, etc) only to have it finally get to the model and go "oh... you're not logged in, get out and go to the login screen or whatever. If a whole controller is restricted make the check in the constructor. If it's just one method that's restricted, make the very first line your check. If they shouldn't be there, get them out of there as quick as possible. Which leads onto my next point.
2. It's a bit scary letting an unauthorised request get that far (into your model). On small to medium applications it's normally not a worry, but for bigger stuff it can leave security problems and/or cause unexpected behaviour/bugs. It's bit like having a big castle and letting someone get over the moat, through the front gate, into the bailey and to the front door of the inner keep before a guard kicks them out. What if by some chance there was a little secret trap door somewhere in your castle that you've forgotten about, it's possible that they could get through that and into your inner keep and not even meet that one guard you've got. However, if you'd stopped them at the moat, they would have never even had the possibility to stumble upon that forgotten trap door.
3. And lastly, you're wasting your users time. Redirect them ASAP for faster page loads. It's not going to be much, but it's one of those 1% things that can quickly add up if you're applying the same attention to the little details across the rest of you site/application.