Redirect unauthorized users to subsite root (not portal root)

I have a collective.lineage based subsite which requires login. When a user attempts to visit the subsite they are redirected to:

I would have expected them to be redirected to the subsite login page, something like this:

Is there a setting I'm missing? What should I be customizing to achieve this behaviour?

Further note. It seems this is only a significant issue if the subsite root is private. Once published things are much easier.

That said, based on my research if you actually need this you'll probably need to write a custom PAS challenger plugin. Not that trivial.