We did hack the LDAP code so that staff could autologin to our moodle from our staff intranet, but that would still let them login directly.
I'm thinking you could hack index.php and add in code that checks 'have they come from a referrer address that matches your portal'.
But this, however, is probably the most thorough suggestion:
There is Shibboleth as an alternative to CAS. If you forced everyone to login via shibboleth to your portal - moodle can be setup (install the Shibboleth Service Provider on the moodle server) to detect that they do have a shibboleth session, and use the attributes (username etc) from that. You might even be able to set it up so no one can trigger a shibboleth login attempt on the moodle server, and it merely picks up existing shibboleth sessions, but I haven't tried that.
I have successfully setup moodle and Shibboleth (as a trial - we went for AD SSO in the end, but it was a useful exercise).