This is in the Rules, not the authenticate. The authenticate just lets you decide what session variables to store. Then you create rules based on those session variables.
The allow if and restrict if rule types are part of the rule definition. Then you use the rule to restrict access to a page.