Model in MVC is said to contain any business logic. If that is true, then, I think authentication is the role of model. "Your manager can change employee's salary, but you employee can't change your salary." is business logic. So, employee model should contain authentication logic that checks whether who is messaging to them is manager or not.
However, authentication logic is often handled by controller. Why isn't authentication logic in Model?
I think you are confusing Authentication and Authorization. Authentication (identifying the user) is often handled by the controller, but what that user does (like your example) is authorization, and is usually much more deeply embedded into business logic. Most models will have some form of "User" which will have a set of permissions which are passed down into the business logic layers.
You can see this thread where this is discussed (ad nauseam, and with quite a bit of snark)
