Just a bit of background on Unauthenticated sessions. Browser requestor sessions at the login page are referred to as Unauthenticated session and are pointed to the Access Group 'PRPC:Unauthenticated'. This access group is pointed to the application PegaRules (and the application version based on your Pega version).
That means the unauthenticated user session has access to PegaRules application.
Coming to your specific implementation/question - I suggest that you review these rules and also review the HMTL rule @baseclass. Web-login. This is an available rule. You can add your custom implementation on Login button.
I think you should consider putting your logic on the portal when the user would be logged in. You can try to put in some on load java script which will open a case when the portal is rendered for the first time.
This design is followed when we generate the deep link feature.