Redirect unauthorized users to subsite root (not portal root)

I have a collective.lineage based subsite which requires login. When a user attempts to visit the subsite they are redirected to:

http://mysite.com/acl_users/credentials_cookie_auth/login_form?came_from=http%3A//mysite.com/subsite

I would have expected them to be redirected to the subsite login page, something like this:

http://mysite.com/subsite/acl_users/credentials_cookie_auth/login_form?came_from=http%3A//mysite.com/subsite

Is there a setting I'm missing? What should I be customizing to achieve this behaviour?

Further note. It seems this is only a significant issue if the subsite root is private. Once published things are much easier.

That said, based on my research if you actually need this you'll probably need to write a custom PAS challenger plugin. Not that trivial.